I have attempted to use a pair of Linksys BEFVP41s to create a VPN link to secure the traffic between a pair of bridged WAP11s. It works, but not as securely as I had wanted.
I had been using the wireless bridge for about 4 years to connect two buildings using a pair of Linksys WAP11s. The throughput is fairly solid at about 3.2Mb/s. So far it's worked very reliably and I've only needed to replace a couple of them after becoming fried by the occasional lightning storm.
The WAP11 2.2 (my favourite) can support 256 bit WEP encryption but this is becoming insufficient and I would like to add another layer to secure it further. I have tried alternative bridges including the WAP54 and the D-link DWL900AP but neither worked as well as the WAP11s.
I noticed that a pair of Linksys BEFVP41 routers can be linked through a VPN connection and reasoned that I should be able to use them to encrypt the traffic between the two buildings. The system was configured:
Building 1 has a Draytek 2600 router that provides the Internet connection and manages a 192.168.1.x network with about 15 PCs in a Windows Workgroup . Building 2 has a 192.168.2.x network with about 6 PCs. The WAP11s are connected to the WAN ports of the BEFVP41s and the external address are all on a 192.168.10.x network.
Uses the network block 192.168.1.x
The LAN address of the first BEFVP41 occupies address 192.168.1.235
The WAN address of the first BEFVP41 occupies address 192.168.10.1
Connecting to this WAN port is the first WAP11 on address 192.168.10.20
The BEFVP41 here is configured as a router
The WAP11 here is bridged to the first building and occupies address192.168.10.25
This is connected to the WAN port of the second BEFVP41 that occupies address 192.168.10.2
The LAN port is configured to 192.168.2.1 and the DHCP server provides manages the connections for the local machines.
The BEFVP41 here is configured as a gateway
The two BEFVP41s have a VPN bridge configured that links the local secure group of 192.168.1.x to the remote secure group of 192.168.2.x. This connects and establishes a successful VPN link and I see traffic in the VPN log. The Draytek 2600 router in building 1 is configured to route any traffic on 192.168.2.x and 192.168.10.x though the first BEFVP41 at192.168.1.235.
Everything works. Except if you change the pre-shared key on the VPN link, the link continues to work. Internet access from building 2 is unaffected but it is then not possible to connect to the machines on the local network in building 1. Restoring the correct VPN passwords allow everything to work again as before.
Is it possible to force all traffic to use the VPN link exclusively? This would mean that a "man in the middle" attack would have to negotiate the VPN link to gain access to the network in either buildings.
Alternatively is there a box (at the right price) that can encrypt all traffic and transparently bridge to a second box. I prefer not to use PC solutions for managing networks if possible.