IPSEC with multiple client OSes

jon at witchspace.com jon at witchspace.com
Mon Sep 1 15:03:16 BST 2003


>> Windows 2000/MacOS X/FreeBSD to a FreeBSD server, since I was planning
>> on
>> using it to beef up my 802.11 security.  It seemed nobody had, but after
>> having another go on Saturday I got it all sussed.  If anyone wants to
>> know how to do it, let me know and I'll tell you what I did.
>
> Now that would be an excellent thing to know - and possibly useful to have
> posted to the list so it goes in the archives ? I have a FreeBSD server

I didn't take any notes (and I'm terrible at writing docs :-) but I used

http://www.x-itec.de/projects/tuts/ipsec-howto.txt

to set up the FreeBSD client and server, and followed the (very sparce)
description of how to set up the Windows 2000 that's on the end.  This
may or may not be the same under Windows XP, I don't know

I'd heard that MaxOC X supported IPSEC but I couldn't find any information
about it, until a bit of googling suggested that MacOS X comes with
racoon and setkey out-of-the-box.  Once I'd confirmed it, I just copied
the FreeBSD config over and made the necessary few changes - easy ;-)

This document tells you how to run a script on boot:

http://developer.apple.com/documentation/Porting/Conceptual/PortingUnix/additionalfeatures/index.html

(Nice spin on rc.d.)

> and a couple of 802.11g clients - one OS X and the other Win XP, so I
> would
> definitely be interested in knowing how to make it work...
>
> BTW, will adding IPSEC stop ppl detecting the WEP keys and piggybacking
> onto my wireless LAN or does it only protect the actual data ?

Doesn't 802.11g have a choice of more secure encryption?  You should be
able to use that unless you want to share the link with 802.11b clients.

It will only protect the data (but that includes any passwords that are
sent over the link), but if you plug the wireless router into a different
network card you can block any traffic other than that from the allowed
hosts.  Spoofing won't help a would-be hacker, since the server will only
accept encrypted connections from those hosts.


--Jon

http://www.witchspace.com





More information about the Ukfreebsd mailing list