[linux-elitists] going IPsec

Eugen Leitl eugen@leitl.org
Sat Feb 1 06:54:23 PST 2003


I've got a somewhat multidomain question. While I subbed to diverse 
relevant lists I figured the place most likely to offer an answer is here.

Recently I've purchased an embedded linux wireless (IEEE 802.11b)  router
(Allnet ALL9196;  149 EUR at the local ratty tech street -- the GUI and
option set are a dramatic progress since ALL129, a much inferior
predecessor product).

I want to run an open AP with it. The router allows me to restrict WLAN
access to a given machine on the WLAN/LAN while offering full Internet
access to anybody else. The authentication is probably MAC based, so it's
trivial to airsnort the MAC and h4x0r my LAN, which is very soft white
underbelly on the inside. I don't think any of my neighbours is evil, but
it's a matter of principle.

I've got 4 machines on the LAN, one being an iBook. The linux router brick
is purported to tunnel IPsec (along with PPTP and L2TP).  Jaguar's
Kame/racoon is purported to be interoperable with FreeS/WAN. The
beginnings of a plan: switch to obligate IPsec on internal LAN/one WLAN
machine (and facultative/opportunistic on Internet connections). I don't
have a static IP assigned by my ISP (only a DynDNS address -- the router
offers me to enter two backup DNS machines), however I'm purported to be
able to do wildcard DNS on my web host (phpwebhosting.com, currently BIND
based; shell access but no root rights, obviously). The internal network
has one server running 24/7/365. The IPs on internal LAN are assigned via
DHCP, but the same MAC gets the same IP.

So what I'm thinking I should set up a DNS server internally, and make 
IPsec obligate on the LAN. After I've got it working I should use the BIND 
access of phpwebhosting.com to set up an opportunistic IPsec for all 
outgoing connections for the LAN (failing that, ask a friend with a 
working DNS to publish my record for me).

So: 1) is this a good idear? b) will it at all work, eh.






More information about the linux-elitists mailing list