Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)
From: Erick Mechler (emechler@techometer.net)
Date: 12/20/02
- Next message: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Previous message: Lorens Kockum: "[fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- In reply to: Lorens Kockum: "[fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Next in thread: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Reply: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Erick Mechler <emechler@techometer.net> To: Lorens Kockum <firewall-wizards-20021015@tagged.lorens.org> Date: Fri Dec 20 17:58:01 2002
:: I've been interested in setting up a wireless LAN for some time,
:: both office and home, Unix machines only, and since I do not
:: trust the security built into wireless protocols I'm looking at
:: creating multiple VPNs using ssh, at the expense of bandwidth.
::
:: My topologies are basically stars, I'm thinking VPN/DHCP server
:: on a firewall that has one wireless interface and one interface
:: on the copper wire, one RFC1918 class specifically for the "raw"
:: wireless network, and another for the secured network.
In the wireless network that I helped deploy at my last company, we took
this one step further and gave each wireless client their own /30. The
basic setup was thus:
1. Unauthenticaed wireless user gets a DHCP address on the
unauthenticated wireless network (eg., 10.1.1.2/30) with a default
route of 10.1.1.1.
2. Firewall rules on the BSD gateway only allow incoming ssh (and, of
course, DHCP requests/replies).
3. User then launches ssh and does PPP over ssh to the DHCP server, which
then gives them a new interface on their box, 10.1.2.2/30. This is
their "authenticated" IP address, traffic from which is allowed to be
routed through the FreeBSD box. Authentication is taken care of using
ssh keys.
:: Does anyone here have any comments on/experience with this kind
:: of solution? What bandwidth can one expect?
The solution worked well, even when roaming (all of our wireless access
points were on the same switched network feeding into the "wireless"
interface on the FreeBSD box). There was some latency involved with
tunnelling PPP over ssh, but it was still acceptable for our user base.
Our setup involved a mix of NetBSD, FreeBSD, MacOS X, and Linux clients.
The other thing to note is that for this to work, your gateway system is
going to have a pre-configured interface for every /30 you want to support.
I'm sure there's a finite number of these that you can have, so depending
on the number of users you're supporting, this might not scale.
Cheers - Erick
- Next message: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Previous message: Lorens Kockum: "[fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- In reply to: Lorens Kockum: "[fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Next in thread: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Reply: Mikael Olsson: "Re: [fw-wiz] VPN over Wireless (Was Re: "802.1x"?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
