This post has been encrypted by the IPsec encryption system…

There's definitely some computer dork stuff happening here… first is the current uptime on my webserver…. pretty interesting that I happened to catch it at just the right moment…

23:21:14 up 100 days, 0 min, 3 users, load average: 0.07, 0.02, 0.00

The second thing is that I think I've got a good setup going for securing my wireless network much more than it currently is… I'm in the process of setting up each legitimate wireless client to use IPsec tunnels to encrypt all of their traffic to the internet or my wired LAN… I hit a few hurdles, but I'm getting there… Everything's working right on my laptop in linux, but I've yet to try to make it work in windows… I think I need to make a different kind of cert for that. We'll see when I get there.

I hit two main snags, the first being that I forgot to modify my IPsec ruleset beyond my model ruleset (from the VPN at work), so it was only encrypting traffic directly between the laptop and the gateway box. Once I figured that I was being too restrictive, a.k.a. not encrypting everything except the traffic destined to stay on the wireless subnet, I fixed the rules and things started working right. The second part I was having trouble with was the fact that my decrypted traffic was essentially hitting the firewall twice… it would pass through successfully as ESP packets, as intended, but when they were decrypted, they were sent back through the firewall again, and filtered because they weren't IPsec or DHCP related. After a couple hours of searching all over Google, I came across the magic newsgroup post… It mentioned that you could use the MARK target in iptables to mark the ESP packets coming in with a particular mark value, and also noted that each decrypted packet also carried that mark value. So, if you allow the regular packets carrying that mark value, the problem is solved! I was really pulling my hair out over that one…

Now that I've got it working as intended, I'm going to test it for a while to make sure it's stable, and then hopefully, I'll whip up some certs and get Joe's laptop on the encryption, and everything will be cool like the other side of the pillow. I could probably even open up the wireless LAN as a honeypot, and then mess with people that enter… Heheh…

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>