Thread: IPSEC wireless router ?
View Single Post
  #12 (permalink)  
Old 09-25-2005, 04:06 AM
DEMAINE Benoit-Pierre
Guest
  
Posts: n/a
Default Re: IPSEC wireless router ?
>>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,
>
>
> Not possible. 802.11 wireless is bridging by definition. No routing,
> IP addresses, or services (such as IPSec) involved. There's no other
> way to connect between wireless and wired devices other than bridging.

are you sure ? then, what is my hand setted up gateway doing ???

- 3 NICs
- 1 Wireless adapter ...

4 IPs
and clients on any network can not even ping any other IP than the NIC of my gateway
it is connected to ... not even the IP of wireless card if he is on wired NIC ...

what happens is that for simplicity, and dummy compliance, all manifacturers do
brige wireless to wired ... BUT on all firewalling tutos, you will find that this
kind of briging DO require to be activated ... aka is NOT available before you
explicitely ask for it.

I already DID set up routing, and/or briging on x86 boxes ...

my actual question is: do any hardware router do that including IPSEC ?

> Now, you could isolate the wired and wireless part with a router, VPN,
> or filters, but that requires layer 3 services in addition to
> bridging.

that would mean set up a dedicated gateway between wired and wireless, which would
decrypt IPSEC connections; that is precisely what I am too lame to do myself.

> Overkill. You have WPA encryption for the wireless. On top of that,
> you want to add VPN encryption. You don't really need both. WPA is
> enough.

WPA is hardware encryption: next year it will be broken = next year I can buy a new
router, and ask all my clients to buy new cards ...

All we know about WPA is that it was secure yesterday ... and that when some one
breaks it, you learn about it on forums only 6 months after all teenagers already
craked company networks ...

In france, such security breaches can lead people to jail, even put in jail the one
who have been attacked.

> The bigger they are, the harder they crash. How about this
> alternative? Use an access point, not a wireless router for the
> wireless part of the puzzle. Use WPA encryption. Use a seperate
> IPSec VPN router to terminate the tunnel. Netgear seems to have a
> good selection:

- depends on (weak) WPA
- depends on an additional box

=> twice more storage device + spinning disk + 2 systems + 2 supplies = 4 times more
reasons to crash.

and my problem is that IWANT TO AVOID SETTING UP MANUALLY THE IPSEC SERVER.

> There's no other
> way to connect between wireless and wired devices other than bridging.

looks like you missed a point: I never said I want my networks to be in the same IP
ranges ... would any admin want to keep in the same range all computers of the
building ? who would be mad enough to try to keep transparent briging between all
computers ? who would try to interconnect more than 1000 computers on the same segment ?

Even at home, it is out of order to have wireless in the same IP range that wired LAN.

Honney pots will fill holes

DHCP+DNS will make things transparent for users.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/

Reply With Quote