[Openswan Users] FreeSWAN, Wireless Windows 98/ME/2K/XP RoadWarriors, DHCP over IPsec - overview

Jeannot Langlois jlanglois at actares.com
Wed Jun 9 11:44:00 CEST 2004 

Hi John,

John A. Sullivan III wrote:

>I'm sorry but I missed the initial e-mail for this thread.  What is your
>ultimate goal, Jeannot? Are you looking for an immediate solution or are
>you designing a product? I ask for two reasons.
>  
>
Here's my original email,  you might want to read it first to get a 
better idea about the situation.

http://lists.openswan.org/pipermail/users/2004-June/001118.html


We're both looking for an immediate solution and designing a product 
(and the six-month deadline will be reached in about a month).  The 
product is an embedded wireless Router/Access point which runs Linux and 
uses the NOCAT authentication system to authenticate users 
(http://www.nocat.net).  We've already implemented LDAP support in NOCAT 
and set it up for use with a separate LDAP server for authentication. 

In case you might be interested, here's a link to the sources of the 
(temporary) Actares fork of NOCAT, which will be integrated (by the 
NOCAT guys) to the main NOCAT source tree in the future (as Actares, the 
company I currently work for, is not really interested in maintaining 
NOCAT):


ftp://ftp.actares.com/pub/nocat-0.82-actares/nocat-0.82-actares.tar.gz
http://www.actares.com/nocat-0.82-actares.tar.gz


Now that the authentication process is fully functional, we're looking 
for an effective way to wrap all wireless communications occurring 
between each wireless client and the embedded Router/Access point into 
secured IPsec tunnels so anything going over the air is encrypted, in a 
much secure way than WEP (which has been shown to be insecure) and WPA 
(which is vendor/firmware-dependent).

Freeswan seems perfect for this task as IPsec is a layer 3 protocol and 
doesn't depend on the particular hardware that is used.  However we're 
expecting a few problems such as DHCP-over-IPsec and automatic tunnel 
"uppping"/"downing" from the Router/Accesspoint side.

I've got until July 1st to experiment with this and I am hoping to find 
a way to use freeswan to reach our goals...  I've been doing lots of 
reading and still expect to work lots :).

>First, one of the early extensions we have planned for the ISCS project
>(http://iscs.sourceforge.net) is a wireless gateway.  The idea is that
>one can allow wireless users to access any part of the WAN with their
>access control based upon any of a number of forms of extended
>authentication, i.e., not only IP address but X.509 certificate fields
>furnished via SSL or IPSec, Active Directory, NDS, LDAP, SecureID
>tokens, RADIUS.  If a cracker cracks their way into connecting to the
>AP, they still can't go anywhere unless they can furnish such extended
>authentication.  Conversely, when the wandering CEO fires up their
>wireless laptop in a remote office and calls screaming at the IT
>department because the they forgot to tell IT about needing a particular
>access, IT can alter the configuration of both the end point where the
>CEO is and the other end point where the needed Resource is, safely,
>with minimal exposure to human error and in a matter of seconds.  ISCS
>is designed to handle thousands and perhaps tens of thousands of AP's
>from a centralized distribution point.  Since it is a three tiered
>solution (Policy Manager, Distribution Point, Policy Enforcement Point
>(AP)), the changes can be made through concurrent administrators located
>anywhere.  So, if your need is more long term and a part of product
>development, you may find ISCS very helpful.
>  
>

Sounds interesting!  But might be a little too much for the simple 
Router/Acesss point we're currently trying to build, I think...

>The second reason is that we have done a great deal of successful work
>with DHCP-over-IPSec and internal Roadwarriors.  We call the latter our
>GNOC configuration since, to protect our clients, all access from our
>GNOC's to our client sites is supposed to pass from our desktops to the
>gateway in encrypted form.  Thus, all the users on the inside of the
>gateway use IPSec clients.  We have posted our configurations (including
>the GNOC configuration) and slide shows for the set up in the training
>section of the ISCS home page (http://iscs.sourceforge.net).  I hope you
>find it helpful - John
>  
>

This *definitely* interests me.  I'll have a look at your iscs website 
and look through those DHCP-over-IPsec configurations.


Thanks a lot for your input!
I'll get back to you if I have questions :).

Have a nice day,


-- 
Jeannot Langlois
Programmeur-Analyste / Software Developer
Administrateur Systeme/Reseau / System/Network Administrator
jlanglois AT actares DOT com


http://www.actares.com

More information about the Users mailing list