IPsec wifi link in ad-hoc mode - Networking

This is a discussion on IPsec wifi link in ad-hoc mode - Networking ; Hello. I set up my two laptops to communicate in wifi ad-hoc mode.??? One of the laptops (192.168.1.3) acts as a router and a DNS server for the other (192.168.1.4). As I don't want anybody to use my router as ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: IPsec wifi link in ad-hoc mode

  1. IPsec wifi link in ad-hoc mode

    Hello.

    I set up my two laptops to communicate in wifi ad-hoc mode.???

    One of the laptops (192.168.1.3) acts as a router and a DNS server for the
    other (192.168.1.4).

    As I don't want anybody to use my router as a gateway, I must secure it.

    I enabled a WEP encryption key between the two of them, but it's hardly
    extremely secure.

    So I set up an IPsec link between them; it works ok, but I don't know if
    it's enough to guarantee that nobody can hijack my connection, using my
    gateway to spam/spoof/etc.

    How can I make sure that only 192.168.1.4 connects to 192.168.1.3? Must
    I/can I do IP filtering? MAC addresses filtering?

    If yes, how do I do that?

    Thanks!

    --
    Fabrice DELENTE

  2. Re: IPsec wifi link in ad-hoc mode

    On Thu, 25 Sep 2008 17:51:28 +0000, Fabrice Delente wrote:
    > I set up my two laptops to communicate in wifi ad-hoc mode.???
    >
    > One of the laptops (192.168.1.3) acts as a router and a DNS server for
    > the other (192.168.1.4).
    >
    > As I don't want anybody to use my router as a gateway, I must secure it.
    >
    > I enabled a WEP encryption key between the two of them, but it's hardly
    > extremely secure.


    Why not switch to TKIP/WPA or WPA2? As you're talking about laptops, this
    should be doable (it wouldn't if you had an old AP that only supports
    WEP).

    > So I set up an IPsec link between them; it works ok, but I don't know if
    > it's enough to guarantee that nobody can hijack my connection, using my
    > gateway to spam/spoof/etc.


    As long as the laptop acting as AP only accepts IPSec traffic (more
    specifically, authenticated IPSec traffic) you should be quite safe.
    However, wireless networks are still quite vulnerable to other types of
    attacks (for instance, even with WEP/WPA/WPA2, one can still force
    clients to disconnect even without prior knowledge of the keys).

    > How can I make sure that only 192.168.1.4 connects to 192.168.1.3? Must
    > I/can I do IP filtering? MAC addresses filtering?


    IP filtering and MAC address filtering are just small bandages and are
    easy to spoof.

    Wkr,
    Sven Vermeulen

  3. Re: IPsec wifi link in ad-hoc mode

    Sven Vermeulen wrote:
    > Why not switch to TKIP/WPA or WPA2? As you're talking about laptops, this
    > should be doable (it wouldn't if you had an old AP that only supports
    > WEP).


    I read things about wpa_supplicant but didn't get to understand if it's
    possible to use in ad-hoc mode.

    > As long as the laptop acting as AP only accepts IPSec traffic (more
    > specifically, authenticated IPSec traffic) you should be quite safe.


    None of the laptops is an AP. They are both in ad-hoc mode.

    Thanks!

    --
    Fabrice DELENTE

  4. Re: IPsec wifi link in ad-hoc mode

    On Fri, 26 Sep 2008 05:54:24 +0000, Fabrice Delente wrote:

    > I read things about wpa_supplicant but didn't get to understand if it's
    > possible to use in ad-hoc mode.


    Apparently it isn't made for ad-hoc mode usage.

    But your initial thoughts of using IPSec does provide a lot of security
    already. You can also try to use VPN solutions such as OpenVPN (which
    might be easier to manage than IPSec).

    Wkr,
    Sven Vermeulen

  5. Re: IPsec wifi link in ad-hoc mode

    Sven Vermeulen wrote:
    > But your initial thoughts of using IPSec does provide a lot of security
    > already. You can also try to use VPN solutions such as OpenVPN (which
    > might be easier to manage than IPSec).


    Setting up IPsec wasn't that hard; what I didn't understand is, if there is
    an IPsec link between 192.168.1.3 (the router) and 192.168.1.4, can a
    machine with IP 192.168.1.5 still connect to 192.168.1.3, and use its
    routing facilities?

    --
    Fabrice DELENTE

  6. Re: IPsec wifi link in ad-hoc mode

    Fabrice Delente writes:

    >
    > Setting up IPsec wasn't that hard; what I didn't understand is, if there is
    > an IPsec link between 192.168.1.3 (the router) and 192.168.1.4, can a
    > machine with IP 192.168.1.5 still connect to 192.168.1.3, and use its
    > routing facilities?



    We built an ad hoc network a few years ago. I think we had to
    broadcast all packets to work around the issue.

  7. Re: IPsec wifi link in ad-hoc mode

    Maxwell Lol wrote:
    > We built an ad hoc network a few years ago. I think we had to
    > broadcast all packets to work around the issue.


    I don't understand, could you explain what you mean?

    --
    Fabrice DELENTE

  8. Re: IPsec wifi link in ad-hoc mode

    Fabrice Delente writes:

    > Maxwell Lol wrote:
    >> We built an ad hoc network a few years ago. I think we had to
    >> broadcast all packets to work around the issue.

    >
    > I don't understand, could you explain what you mean?



    Well, normally a packet is received by the client when it is addressed
    to the client. If you are A, and want to send a packet to B that will
    forward it to C, you can't simply put C's IP address as the
    destination. B will never see it as the address doesn't match.


    But by setting the broadcast bit at the MAC layer, B will receive the
    packet, and see that it should go to C.

    It's been 5 years. I'm a little fuzzy on the details.

    Or else B had to be put in promiscuous mode, so it received all
    packets. It was something like that...



  9. Re: IPsec wifi link in ad-hoc mode

    Maxwell Lol wrote:
    > Well, normally a packet is received by the client when it is addressed
    > to the client. If you are A, and want to send a packet to B that will
    > forward it to C, you can't simply put C's IP address as the
    > destination. B will never see it as the address doesn't match.
    >
    >
    > But by setting the broadcast bit at the MAC layer, B will receive the
    > packet, and see that it should go to C.
    >
    > It's been 5 years. I'm a little fuzzy on the details.
    >
    > Or else B had to be put in promiscuous mode, so it received all
    > packets. It was something like that...


    Ok, thanks. However it's a technique I've never seen before, so I think I'll
    stick to something simpler :^)

    --
    Fabrice DELENTE

  10. Re: IPsec wifi link in ad-hoc mode

    Sven Vermeulen wrote:
    > But your initial thoughts of using IPSec does provide a lot of security
    > already.


    If I undertood correctly, it provides security on the
    192.168.1.3<->192.168.1.4 link; that is, anybody wanting to talk to
    192.168.1.4 that has IP 192.168.1.3 wont succeed unless he identifies
    correctly through the IPsec layer, right?

    If yes then my question is: is somebody connecting to 192.168.1.3 with IP
    192.168.1.5 will be refused because he didn't use the IPsec link?

    --
    Fabrice DELENTE

+ Reply to Thread