IPSEC wireless router ?

Not possible. 802.11 wireless is bridging by definition. No routing, IP addresses, or services (such as IPSec) involved. There's no other way to connect between wireless and wired devices other than bridging.

Now, you could isolate the wired and wireless part with a router, VPN, or filters, but that requires layer 3 services in addition to bridging.

Overkill. You have WPA encryption for the wireless. On top of that, you want to add VPN encryption. You don't really need both. WPA is enough.

The bigger they are, the harder they crash. How about this alternative? Use an access point, not a wireless router for the wireless part of the puzzle. Use WPA encryption. Use a seperate IPSec VPN router to terminate the tunnel. Netgear seems to have a good selection: |

formatting link
are lots of other wired VPN routers to chose from at around $100US. If you want your VPN termination, it's in the box. This will also allow you to be rather creative in locating the wireless access point and allow easy upgrades to the latest 802.11 acronyms.

There are products that sorta do what you want: |

formatting link
|
formatting link
don't think you'll like the prices.

Yes. The WRT54G can handle alternative firmware with VPN termination features. Sveasoft Alchemy includes PPTP VPN services which is handy for Windoze clients as it comes with the operating system. IPSec is available in various custom builds. I'm too lazy to find these. Bug me if you need URL's.

Reply to
Jeff Liebermann
Loading thread data ...

I am looking for something secure: hardware wireless router:

- une ethernet port dedicated to provider (DHCP and PPPOE capable)

- one LAN port which would be linked to some switch

- wireless repeter

BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet, but rather require any client to use IPSEC tunneling.

Thats for home use; I am too lame to set linux box, because I dont feel liike setting up an IPSEC server, and had too much bad XP with IDE disks on home made router (usually crash after 2 or 3 years 24/24).

I hope such a device should be available between 150 and 300 e

Maybe there is some tutorials to convert this way some Linksys WRT ? or some Dlink with such native support ?

Reply to
DEMAINE Benoit-Pierre

I know where you're going with that but why? You can use WPA on a WRT54G as long as your clients support it and given a strong password, that's going to suit pretty much all home users.

IPSec has limitations too, how were you planning on authenticating? Which EAP type were you going to use? EAP-MD5 for example is easily dictionary crackable for example.

David.

Reply to
David Taylor

DEMAINE Benoit-Pierre wrote in news:43353ab0$0$24372$ snipped-for-privacy@news.free.fr:

I don't think you can do what you want. You can use an IPSEC tunnel between computers through the O/S such as Win 2K, XP and etc and that's a VPN solution software to software, you can have a software VPN client on a client machine with server software VPN implemented on a device such as a firewall appliance or a er such as a Watchguard or others that fall into that category such a Sonicwall, Cisco and others, software client to server host VPN solutions such as AT&T Extranet or you can have hardware to hardware VPN solution router to router.

formatting link
But some kind of a VPN solution between the wireless gateway device such as a NAT router and your wireless machines on the LAN is questionable. Maybe, a VPN solution with a wireless Watchguard FW appliance or others and its client VPN software solution on the machines may work to protect a wireless LAN situation between the gateway device and the clients I don't know.

You can checkout the WG X5 series I think that's around $300 but the VPN on the client machines cost extra and you can checkout others too

Duane :)

Reply to
Duane Arnold

I just want you to know that I am sitting out here in and Extended stay inn using a dial-up direct connection to the Internet. Before implementing Analogx's IPsec Secpol rules for configuring IPsec to act in a firewall like mannerism, BlackIce was sounding off and blocking unsolicited inbound traffic. I have not been on a dial-up connection with a machine in several years and was surprised at the number of probes, scans and attacks being ran against the machine such as MS SQL Server, RPC, *NetBIOS*, etc, which BI was blocking and logging and alerting on things such as O/S Fingerprinting. And I have some vulnerable applications running such as IIS and SQL Server.

However, since implementing IPsec on the XP Pro machine and activating the Analogx's SecPol rules with making adjustments in the rules like allowing SMTP on TCP port 587, because EarthLink uses port 587 and not 25 and configuring AnalogX's rules to block all the Windows Networking ports and other ports IPsec protects by default such as TCP 135 only allowing traffic in a LAN situation, BlackIce has not log anything in the logs, barked, whined, or alerted with IPsec supplementing BI.

I was using BI and IPsec to supplement the no FW Linksys NAT router I was using. But until now, I was not aware of how powerful of a solution IPsec is and its ability to be used in a FW like manner to stop inbound or outbound traffic by port, protocol or IP and nothing is coming past it *NOTHING* which would make BlackIce react.

I am very impressed with IPsec and its ability to supplement in a FW like manner.

formatting link
But just keep in mind I am not a guru like you are, and therefore, you can kiss my *ASS* about IPsec and anything else for that matter with your

*tounge* hanging out.
Reply to
Duane Arnold

It's not new Duane. All you're doing is blocking traffic by port. I'm surprised that it's new to you.

The main advantage of IPSec is the Sec part, i.e. security. Simply creating filters and a filter action like you are doing is the very very simplest start. What the original poster wanted was security which to do properly requires a PKI implementation. Then you get mutual authentication and encryption, none of which you have right now.

Being doing that for ages, it's not new but it does have value, it's just not the friendliest interface for noddies to configure and it doesn't provide any stateful inspection or application inspection but yes, if all you want to do is set up block/allow filters, it's fine.

No need but keep reading, you'll learn as you go along. It fascinates me why you post what you do sometimes.

Just remember, IPSec is an IP only solution, if you have NWLink or NetBEUI installed and bound, you might just as well hand your PC over to Mr Hacker.

David.

Reply to
David Taylor

MOOT

Who cares about what the OP is talking about? This goes back to last week between you and I..

I been using it for a couple of years and that's after someone made me aware of it so how can it be new to me? I have made posts about using IPsec as a supplement for a couple of years so how can it be new to me? Hell, people who look for solutions in securing machines and that's their job don't know about using IPsec and it's ability until I inform them about it. I already know about IPsec statefulness and other short comings. After all, IPsec is not FW software but can act in limited FW like manner to protect the Windows NT based O/S like Win 2K and up as a supplemetal solution..

IPsec was not introduced to the Windows NT based O/S until Win 2K so that someone could use it as a possible solution particularly in the home or on the road situations. Many, many, many, many users of the WIN 2K and up O/S(s) are not aware that it's even there. And many users *bitch* about the XP O/S FW not being able to stop outbound traffic .However, with the use of IPsec on the machine with the XP FW, IPsec can be used to supplement the XP FW and stop outbound traffic if need be.

What? Am I going to learn something from you? LOL I doubt it seriously.

What's the fascination? I have been doing it for years on the Internet for those I do not *RESPECT*. So guess what I don't have for you? and

I think I mentioned the word *supplement* several times in my original post and on the post where you started going to left field.on NWLink and NetBIOS.

Maybe, you need to look up the word *supplement* and the meaning of the word, since you're such the guru and I might add an

*university/college/boy -- ass-wipe*. and

Why would someone need NetBEUI and NWLink on a dialup? However, some ISP(s) would bind NetBEUI on WIN 2K and down when installing its software like Netzero a few years back and one knew to unbind it And one uses NWLink in a LAN situation if needed with something like a router setting there and possibly IPsec as a *supplemental* solution.

And besides if some end user that does understand how to make filtering rules on any type of FW such as a PFW solution, then IPsec is a piece of cake with the use of the AnalogX rules.

Really, I am not posting about IPsec to you in particular but you do need your ass kicked about it up in my face with your *Bull Shit*. The post was for others who may be reading this post between you and I and understand that there is another element on the Win 2K and up O/S that can be used in a supplemental fashion to protect the machine and it can protect by port, protocol and IP inbound or outbound and is a powerful supplemental tool that can be used that has been made easy to use by using the AnalogX SecPol rules.

Users are not aware of IPsec sitting on the O/S and what it can do in the protection of the Windows NT based O/S.

I have seen posts about IPsec being used as the only solution to protect the machine as a FW. .

.
Reply to
Duane Arnold

DEMAINE Benoit-Pierre wrote in news:43361e4a$0$8933$ snipped-for-privacy@news.free.fr:

Well, there is nothing to say that one cannot hack the wireless and get to the wire LAN machines or hack the wire ones and get to the wireless ones on the LAN. That's if you come right down to it.:)

Duane :)

Reply to
Duane Arnold

DEMAINE Benoit-Pierre wrote in news:43361cb9$0$22382$ snipped-for-privacy@news.free.fr:

It's simple with the AnalogX rules that can be implemeted on the Win 2K, XP and the Win 2K3 O/S(s). All one does is enable or disable the IPsec rules say for instance for the HTTP server/client, SMTP server/client, NNTP server/client etc, etc and edit those rules and see what's being done and learn from them. Again it's a piece of cake even I can do it. ;-)

Duane :)

Reply to
Duane Arnold

Yes, I'm sure it's bridging.

That's the router section. Think of a "wireless router" as a "wireless access point" glued to an "ethernet router". If done in seperate boxes, the ethernet output from the access point would go to one of the LAN inputs of the "ethernet router". When you set the IP addresses and all that, you're setting the router section. The only exception is that a stand along access point requires an IP address to do configurations and system settings. That IP address is only use for configuration and has nothing to do with the traffic.

Wanna bet? If you ignore the router part of the puzzle and just play with an access point, the IP address of the access point can be literally anything. In fact, that's exactly what I do on wireless systems that I don't want the users to tinker with the access points. I set the management IP address of the access point to something that's out of the usual 192.168.1.0/24 block.

Sorry. I don't understand what you're asking or saying.

That's why I suggested you seperate the router function (with VPN) and the wireless function. When the next great exploits or new acronyms come out, you don't have to toss everything and start over.

Yawn. You're welcome to your own level of paranoia. However, if you run on that assumption, there isn't an operating system, application, or protocol that won't shortly be cracked by teenagers or university grad students.

Good luck. IPsec is no fun to setup. Lots of settings. Lots of potential incompatibilities between servers and clients. Lots of things to go wrong. To the best of my knowledge, nobody has a non-manual IPSec VPN setup.

I think you missed my point. 802.11 wireless is bridging. I still recall wireless access points that didn't have an IP address for configuration and had to be set via a serial port. There's no layer 3 stuff involved in bridging. That doesn't mean you have to setup your entire network without any routers and using just bridging. However, that's exactly the way a typical hot spot or home network is setup. The users bridge (encapsulate 802.3 ethernet inside 802.11 wireless packets) between client radios and the access point. The IP stack is in the client, not the wireless client. At the access point, it goes to a router, which deals with the IP addresses, routing, and such.

Most systems I've seen use a common /24 IP block for everything. If there's a VPN server in the system, the VPN server delivers an IP address through the tunnel to the client, which is used instead of the DHCP assigned IP address. I think that's what you're talking about.

Sigh. Good luck...

Reply to
Jeff Liebermann

Wireless router or ethernet router with VPN?

Wireless: |

formatting link
|
formatting link
|
formatting link

There are plenty of ethernet routers with IPSec VPN terminations. Search Google or the major manufacturers for "VPN Router".

Reply to
Jeff Liebermann

DEMAINE Benoit-Pierre wrote in news:43361ddf$0$8933$ snipped-for-privacy@news.free.fr:

Well, SuSe Linux that I use is using about that much RAM and disk space just to install. And I am not into mix, blend and roll your own.

Well, you have to have to valid end points I don't care what O/S you're using. The VPN end points must be client to server software solutions. Or you can install the VPN client software solution on a machine and install the server solution as part of the firmware of a low-end wireless firewall appliance. But I don't think the VPN will apply for a LAN situation period wired or wireless and is only for remote connections over the Internet with a client machine. However, you'll need to check on it. The other VPN solution is hardware to hardware -- router to router.

The only thing you might be able to do is an AD-HOC wireless solution on a gateway computer with wireless client machines using IPsec on the gateway server machine between the client machines. I don't think you're going to find a hardware VPN solution for the wireless machines on the LAN.

Duane :)

Reply to
Duane Arnold

Even if I buy WPA APs, few clients have it yet

WPA is not down compatible with 802.11b ... IPSEC is with any wireless card and any OS ... and will remain secure as long as SSL is not broken, when optimists people think than WPA will be broken within 12 months.

I am not to buy for WPA which will soon be weak.

exchange of primary key can be done by email the day before my customer joins me, or the first day using transparent proxy that allows access only to HTTPS webmails ...

or just hand in hand (aka oral confirmation that the signature of the key is really mine).

IPSEC cant be weaker than WPA, simply because like WEP, WPA is limitted by hardware, and broken proto means you can throught out your devices, when IPSEC can be upgraded even on old machines, and keeps the network compliant with any other devices.

Reply to
DEMAINE Benoit-Pierre

IPSEC just rules where most other protos just sux.

ATM I never seted it up myself, but from tutos I have read, it way non-trivial to set up (server side), but really claimed by every one to be highly secure, and may be the only known REALLY secure layer to encapsulate VPNs.

Reply to
DEMAINE Benoit-Pierre

could you stop trolling and talk about avaibale wireless IPSEC DEVICES ?

btw: clients will be Linux and BSDs laptops ... so that even pentium (1) 150MHz with PCMCIA1 802.11b adapters can still benefit of my secure wireless network, witout need of those PCMCIA2 cards (which are not supported by old lappies), nor need of OS that require 256MB or even 2GB just to install ...

IPSEC support can be added to 8 years old BSD laptops !!!

Reply to
DEMAINE Benoit-Pierre

some of my friends even use IPSEC on wired LAN ... just in case some one spies their LAN after hacking the gateway ...

atm, I /just/ want to secure wireless part of my home.

Reply to
DEMAINE Benoit-Pierre

are you sure ? then, what is my hand setted up gateway doing ???

- 3 NICs

- 1 Wireless adapter ...

4 IPs and clients on any network can not even ping any other IP than the NIC of my gateway it is connected to ... not even the IP of wireless card if he is on wired NIC ...

what happens is that for simplicity, and dummy compliance, all manifacturers do brige wireless to wired ... BUT on all firewalling tutos, you will find that this kind of briging DO require to be activated ... aka is NOT available before you explicitely ask for it.

I already DID set up routing, and/or briging on x86 boxes ...

my actual question is: do any hardware router do that including IPSEC ?

that would mean set up a dedicated gateway between wired and wireless, which would decrypt IPSEC connections; that is precisely what I am too lame to do myself.

WPA is hardware encryption: next year it will be broken = next year I can buy a new router, and ask all my clients to buy new cards ...

All we know about WPA is that it was secure yesterday ... and that when some one breaks it, you learn about it on forums only 6 months after all teenagers already craked company networks ...

In france, such security breaches can lead people to jail, even put in jail the one who have been attacked.

- depends on (weak) WPA

- depends on an additional box

=> twice more storage device + spinning disk + 2 systems + 2 supplies = 4 times more reasons to crash.

and my problem is that IWANT TO AVOID SETTING UP MANUALLY THE IPSEC SERVER.

looks like you missed a point: I never said I want my networks to be in the same IP ranges ... would any admin want to keep in the same range all computers of the building ? who would be mad enough to try to keep transparent briging between all computers ? who would try to interconnect more than 1000 computers on the same segment ?

Even at home, it is out of order to have wireless in the same IP range that wired LAN.

Honney pots will fill holes

DHCP+DNS will make things transparent for users.

Reply to
DEMAINE Benoit-Pierre

Wait a week then visit

formatting link
and view their webcast on why VPN's (IPSec or otherwise) are in their opinion NOT the way to secure a WLAN.

IPSec isn't the only solution and as has been stated, doesn't secure anything other than IP, is a layer 3 protocol, doesn't encrypt broadcasts and requires that the network be subnetted.

David.

Reply to
David Taylor

I can see where he's coming from, he wants an IPSec driver on the wireless side of his router above the MAC bridge part of the wireless.

Reply to
David Taylor

That's generally the point of a thread, to discuss the original question! :)

Duane said "But until now, I was not aware of how powerful of a solution IPsec is and its ability to be used in a FW like manner"

Yes and many users complain that Windows is unstable after they've loaded a whole truck load of poorly written 3rd party device drivers.

Go back and read Duane, you mentioned IPSec protecting Netbios over NWLink. I can pick the post and requote it if you like?

Do you feel inferior Duane is that it?, how was it in "the hood"?

David.

Reply to
David Taylor

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.