ENOSIG Discussie (threads)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WiFi, IPSEC

Subject: WiFi, IPSEC
From: Lionel Elie Mamane <lionel@xxxxxxxxx>
Date: Mon, 28 Oct 2002 08:43:11 +0100

Hi,

(verkorte nederlands tekst na het engels)

My ADSL Internet connection in Luxembourg has at last been delivered,
so I configured the WiFi network I have installed there.

I decided to explicitly have _no_ (sense of) false security at the
network (radio) level (no WEP, open Access Point, etc), and to rely on
IPSEC instead:

 - Have the inner hosts deliver everything through IPSEC to the
   router.

 - Filter out on the inner hosts and the router everything except
   IPSEC traffic and IPSEC negotiation traffic. I permitted non-ipsec
   ssh connections too, as well as (temporarily, to make testing
   easier) non-ipsec ICMP traffic.



The configuration on the GNU/Linux hosts went pretty well, the main
difficulty was that documentation was quite fragmented: The debian
package comes with enhancing patches applied, those patches are
documented separately, thus the administrator must make his own
merging. I was already running my own X.509 CA, this helps.


Mayhem came from the Windows 2000 host.

First, it complained that it couldn't find a valid certificate for the
computer. But I had imported that damn certificate, with the private
key and all. It was in the "computer certificates" (not the "user
certificates"), the UI said "this certificate is valid", "you have the
secret key for this certificate". I checked and cross-checked that the
valid period was included in the CA's valid period, etc. To no
avail. I thought that maybe it was refusing the *peer*'s
certificate. I checked and cross-checked there. Changed a
trillion-zillion parameters, tried again, ... Well, finally this is
the story:

   I, naive fool, had simply double-clicked on the certificate to
   import it. Imported it had been, but in the "user certificates". So
   I moved it to the computer certificate. Now, listen closely: That
   excuse for an operating system decides it is OK to "loose" the
   secret key when certificates are moved from one "repository" to
   another, but to STILL proudly say "You have the secret key for this
   certificate". Duh. Importing the certificate directly in the
   "computer certificates repository" (thus going in the repository,
   choosing "import" from there, and providing the path to the file)
   did the trick.

I lost a full day because of this stupidity.

Second, I could convince it to negotiate an IPSEC session with the
destination host it is trying to contact (e.g. www.debian.org), but
not with the router (unless the router was the destination,
obviously). Any amount of clue is welcome. I'm considering hiring a
consultant, because Microsoft Windows is really starting to get on my
nerves.


So, as a conclusion, if anyone wants details and example config files
for a similar config, just ask.

Praises like "You are deploying IPSEC? Cool, man" are welcome too ;-)

====================================================================

(As always, corrections of grammar, style, vocabulary and spelling are
welcome. I want to learn.)

Mijn ADSL Internet connectie in Luxemburg is aangekomen, dus heb ik
mijn WiFi netwerk geïnstalleerd. Ik heb beslist geen WEP, maar wel
IPSEC te gebruiken (IPSEC is toch beter): Het enige non-ipsec
connecties die mijn machines behandelen is ssh.

Installatie on de GNU/Linux machines was niet te moeilijk, maar ik
moest wel meerdere verschillende documentaties lezen.

Onheil kwam van de Windows 2000 machine.

Ten eerste wilde het niet het certificaat gebruiken. Ik had het
certificaat ten eerste in de gebruiker certificaten geïmporteerd, en
dan in de computer certificaten geplaatst. Maar dan verliest Windows
de geheime sleutel, maar zegt nog "Jou heeft de geheime sleutel voor
dit certificaat". Direct in de computer certificaten plaatsen (vanaf
het bestand) werkt. Daarover heb ik éen hele dag verloren...

Ten tweede, IPSEC met de eind server kon ik wel configureren, maar
IPSEC met de router kon ik niet.


Conclusie: Als iemand meer weten of/en mijn configuratie bestande voor
een gelijke configuratie wil, weet hij waar hij (of haar) kan vragen.


P.S.: Wat is het adjectief voor "van Luxemburg"? Ispell hout niet van
      "luxemburgisch". "Luxemburger" kent het wel, maar dit is voor
      een mens, niet een ding, of toch wel?

<<inline: application/pgp-signature>>

Prev by Date: Re: Meeting place
Next by Date: LogReport's Lire presentation at Enosig
Previous by thread: Meeting place
Next by thread: LogReport's Lire presentation at Enosig

[ Date Index] [ Thread Index]