Portrait of Edd Dumbill, taken by Giles Turnbull

Subscribe to updates

Feed icon Atom or RSS

or get email updates

What I make

expectnation
a conference management web application


XTech Conference
a European web technology conference

IPSec Facto

I think I just won my Obsessive Geek spurs. Again. I appear to have forgotten to sleep last night. The cause of this? IPSec, the IP security protocol.

The seed of the pain was sown last week at the O'Reilly Open Source Convention, when the excellent Rob Flickenger explained exactly how easy it is to crack an 802.11b wireless network. With the appropriate amount of data to sniff, Rob managed to crack a 128-bit WEP protected network in around an hour.

I'd been vaguely toying with the idea of moving my 802.11b network outside of my firewall for a while, but this reminder lent some urgency to the notion. While in the States I also picked up a discounted 802.11b/g access point, so I could move my 802.11b network to be Managed, rather than the Ad-Hoc peer network it is now.

The plan, then, was to move the wireless network to be open and unencrypted and set up a tunnel into the wired network so I can get at my private servers. Simple? Not quite. Using ssh was out of the question, as I wanted easy interoperation with Windows machines and a genuine VPN: this is something my wife has to be able to switch on easily on her newly-received work WinXP laptop.

On the advice of a friend, IPSec seemed the obvious choice from this point on. The other choice would be point-to-point-tunnelling protocol, PPTP, but to get security on this requires the use of a proprietary Microsoft protocol.

Next stop was FreeS/WAN, an open source implementation of IPSec for building secure tunnels through untrusted networks. FreeS/WAN is in Debian GNU/Linux, which all my machines run. The prerequisite for running FreeS/WAN is either the recompilation and patching of the kernel or the compilation of a kernel module.

I wasted far too much time finding out that the FreeS/WAN in Debian stable is too out of date to be of practical use. Go for version 2.00 or better. I also lost quite a bit of time due to some error generating the X509 certificates for the client-side, but got that sorted out eventually. Extra complications were provided by the fact that the wireless network is NATted, and the endpoint in the wired network has a complicated firewalling setup.

At around 6.00am in the morning I finally successfully brought up a tunnel from the laptop to the wired gateway, and felt elation course through my veins. I then dipped down again as I discovered a routing problem which seemed to thwart me (for reasons unknown to me FreeS/WAN sets up a couple of routes for 0.0.0.0/1 and 128.0.0.0/1 which break the default route on the wired machine, causing my entire network to drop off the Internet.)

Time for 20 minutes sleep. Then awake with my wife, fix breakfast and recharge. The break helped me think through the last required kludges (which are far too boring to mention here, but are documented in several places), and I finally have a working setup for Linux-Linux tunnelling. I've yet to test whether it works on WinXP or not, but when I come to test it I'll be starting from much further on than I was before.

I've had the tunnel up all day, successfully using NFS mounted filesystems and browsing the web. The only trouble I had was with hitting a web site with multiple adverts on it, when a component of FreeS/WAN seemed to die due to an overload of DNS lookups.

FreeS/WAN's version number is currently in the 2.x series, which I think implies a little more stability than is the case. This technology appears to be still in development, on Linux at least. That said, I'm glad it exists and works!

It's conceivable I might have been better off not working through the night on this. Still, I now have secured access via my wireless network, and in the unlikely event people find themselves at a loose end in suburban York, they can now share my wireless internet.

Addendum: I'm keeping notes of the best FreeS/WAN/IPSec resources I've found.

blog comments powered by Disqus


You are reading the weblog of Edd Dumbill, writer, programmer, entrepreneur and free software advocate.
Copyright © 2000-2012 Edd Dumbill