This post has been encrypted by the IPsec encryption system...

There's definitely some computer dork stuff happening here... first is the current uptime on my webserver.... pretty interesting that I happened to catch it at just the right moment...

The second thing is that I think I've got a good setup going for securing my wireless network much more than it currently is... I'm in the process of setting up each legitimate wireless client to use IPsec tunnels to encrypt all of their traffic to the internet or my wired LAN... I hit a few hurdles, but I'm getting there... Everything's working right on my laptop in linux, but I've yet to try to make it work in windows... I think I need to make a different kind of cert for that. We'll see when I get there.

I hit two main snags, the first being that I forgot to modify my IPsec ruleset beyond my model ruleset (from the VPN at work), so it was only encrypting traffic directly between the laptop and the gateway box. Once I figured that I was being too restrictive, a.k.a. not encrypting everything except the traffic destined to stay on the wireless subnet, I fixed the rules and things started working right. The second part I was having trouble with was the fact that my decrypted traffic was essentially hitting the firewall twice... it would pass through successfully as ESP packets, as intended, but when they were decrypted, they were sent back through the firewall again, and filtered because they weren't IPsec or DHCP related. After a couple hours of searching all over Google, I came across the magic newsgroup post... It mentioned that you could use the MARK target in iptables to mark the ESP packets coming in with a particular mark value, and also noted that each decrypted packet also carried that mark value. So, if you allow the regular packets carrying that mark value, the problem is solved! I was really pulling my hair out over that one...

Now that I've got it working as intended, I'm going to test it for a while to make sure it's stable, and then hopefully, I'll whip up some certs and get Joe's laptop on the encryption, and everything will be cool like the other side of the pillow. I could probably even open up the wireless LAN as a honeypot, and then mess with people that enter... Heheh...

Kate :: 05/14/2004, 10:47 am :: Reply

Seriously. Speak English.

Mike Neir :: 05/15/2004, 1:06 am :: Reply

Oh, that's english all right... just not english you'd recognize... :)

You'd probably do the same thing to me with your psychology speak... :P

Matt :: 05/14/2004, 3:34 pm :: Reply

Mmmmm geekspeak *drool*

hehehe, that's pretty cool Mike. I don't know many people who would spend time doing this stuff on their home network. I like the wireless honeypot idea. =)

I have another idea though... it should help put a stop to the kiddies driving around with netstumbler. Ok, so what you do is you set up this windows box, right? Then you put every stinking worm and virus you can find on it. Blaster, gaobot, sasser, netsky, etc. Even throw some of that network-propogating adware on it. You get the idea. Now when some kid drives by, sees your open wireless network... they could stop and try to check their mail, maybe sit there and poke thru your honey pot... all the while their unpatched laptop is being infected by the Microsoft diseases! Muahahahaha!

Ross S. :: 05/14/2004, 11:52 pm :: Reply

Don't forget to solicit your 'virus removal' services to certain residents after you have read the log files and seen them connect.

If they are using Windows you might as well throw in a 'Tune up' charge of about, oh, $200 or so and hit their box with a monkey wrench two or three times and tell them you have upgraded the flux capacitor. I'm telling ya man, those Windows users are cash cows. ;-)