I have attempted to use a pair of Linksys BEFVP41s to create a VPN link to
secure the traffic between a pair of bridged WAP11s. It works, but not as
securely as I had wanted.
I had been using the wireless bridge for about 4 years to connect two
buildings using a pair of Linksys WAP11s. The throughput is fairly solid at
about 3.2Mb/s. So far it's worked very reliably and I've only needed to
replace a couple of them after becoming fried by the occasional lightning
storm.
The WAP11 2.2 (my favourite) can support 256 bit WEP encryption but this is
becoming insufficient and I would like to add another layer to secure it
further. I have tried alternative bridges including the WAP54 and the
D-link DWL900AP but neither worked as well as the WAP11s.
I noticed that a pair of Linksys BEFVP41 routers can be linked through a VPN
connection and reasoned that I should be able to use them to encrypt the
traffic between the two buildings. The system was configured:
Building 1 has a Draytek 2600 router that provides the Internet connection
and manages a 192.168.1.x network with about 15 PCs in a Windows Workgroup
.. Building 2 has a 192.168.2.x network with about 6 PCs. The WAP11s are
connected to the WAN ports of the BEFVP41s and the external address are all
on a 192.168.10.x network.
BUILDING 1
Uses the network block 192.168.1.x
The LAN address of the first BEFVP41 occupies address 192.168.1.235
The WAN address of the first BEFVP41 occupies address 192.168.10.1
Connecting to this WAN port is the first WAP11 on address 192.168.10.20
The BEFVP41 here is configured as a router
BUILDING 2
The WAP11 here is bridged to the first building and occupies address
192.168.10.25
This is connected to the WAN port of the second BEFVP41 that occupies
address 192.168.10.2
The LAN port is configured to 192.168.2.1 and the DHCP server provides
manages the connections for the local machines.
The BEFVP41 here is configured as a gateway
The two BEFVP41s have a VPN bridge configured that links the local secure
group of 192.168.1.x to the remote secure group of 192.168.2.x. This
connects and establishes a successful VPN link and I see traffic in the VPN
log. The Draytek 2600 router in building 1 is configured to route any
traffic on 192.168.2.x and 192.168.10.x though the first BEFVP41 at
192.168.1.235.
Everything works. Except if you change the pre-shared key on the VPN link,
the link continues to work. Internet access from building 2 is unaffected
but it is then not possible to connect to the machines on the local network
in building 1. Restoring the correct VPN passwords allow everything to work
again as before.
Is it possible to force all traffic to use the VPN link exclusively? This
would mean that a "man in the middle" attack would have to negotiate the VPN
link to gain access to the network in either buildings.
Alternatively is there a box (at the right price) that can encrypt all
traffic and transparently bridge to a second box. I prefer not to use PC
solutions for managing networks if possible.
Thanks
Paul.
Using Linksys BEFVP41s to secure a WAP11 wireless bridge 
Linear Mode
