Domain: ebootis.de
Stories and comments across the archive that link to ebootis.de.
Comments · 10
-
Re:IPsec is great
Win 2K/XP has IPSec support built-in, but it was a nightmare to configure (I persume it will be easier if you use L2TP/IPSec...?).
But you can use the following utility, it's not as polished as those $80 clients but it does the job, it's basically a front-end to configure the IPSec for you based on a simpler config file:
http://vpn.ebootis.de/ -
I live in LA and I use no WEP
It's been mentioned already by many posters that WEP is insecure. Take a look at AirSnort for details, but basically, depending on the traffic of your network, you can be cracked in as little time as under a day.
Talk about a false sense of security.
WEP is completely disabled to reduce needless overhead on my AP. But I do run a certificate based relaying (See http://vpn.ebootis.de/ & http://www.freeswan.ca/ for details. So if you don't have the right certificate, you can't route any packets in or out of my wireless network.
Have fun cracking a 1024-bit RSA key. -
Re:POPTOP - Out of date report.
Uh, Super FreeS/WAN? I use it over the stock FreeS/WAN because it includes the nat-traversal, Delete SA, and x.509 certificate patches. Mind you, I also prefer SSH Sentinel over the braindead Win2k/XP IPSec stacks. Here's a link to a nice howto if you insist on using Windows builtin, even though SSH Sentinel's under $60 a head.
-
Re:Not so much a crisis...
Things like IPSEC and such do not work through nat without non-standard encapuslation and such.
AH won't work because the packets are being mangled, but ESP works just fine. I've set up dozens of Win2k--SuperFreeS/WAN links, many of them behind NAT.
-
Re:security?
While not having strong security out of the box is by no means acceptable for any hardware (or software for that matter) it's not altogether difficult to secure a wireless network given an intermediate level of networking experience. You can even do some really cool stuff with this setup if you have some programming skills.
My 802.11b network terminates directly into a linux firewall running freeswan with the Checkpoint client I stole from an old job. I understand that the ebootis package will also work.
I also run tinydns, dhcp, a transparent web cache/proxy and a webserver on the firewall.
Everyone is allowed access to the ipsec interface. People who are not authorized against the firewall who try to browse the net are directed to a page that asks for a password, which I freely give out to friends and neighbors. A cookie gets dropped on their browser to verify that they're authenticated for web browsing.
Anyone that remains unathenticated for more than 5 minutes gets their DHCP lease nuked, and they're blocked at the firewall.
It may sound overly complex, but the original basic system took about a weekend to get setup. The spiffy web authentication system took another couple of days fiddling around in the evenings.
The latest version of this system uses a fanless mini-itx motherboard and a 64M flash disk running the FW off of ramdisk. I used PeeWee Linux to get the basic system set up. I've taken my Linksys wireless unit apart, and crammed it into the same box as the Firewall, and with a little creative use of Big Red Buttons (tm) in the event of a FW compromise, I can reboot the entire thing and I'm back up and running with the clean ramdisk image. No fuss, no muss.
Client security on the XP and linux laptops floating around on the wireless network is left as an exercise to the user. (A mostly futile one in the case of XP)
Of course this obviously isn't a solution for everyone. My network consists of a whopping three internal machines (between the internet and the wireless firewalls), 2 firewalls (one internet facing, the other wireless facing) and 3 laptops. Certainly not a complex network by any stretch of the imagination. However there's not a chance in hell that my father would be able to pull something like this off. But, with a little creativity and a few skills, it's not too difficult to achieve a fair level of security. -
Re:Lawsuit, Linux VPN (details)
I don't really need server names, the main purpose is just for sharing certain files and/or IPX/SPX connections (for LAN games). No need for domain names as nobody will be using this connection to go anywhere but in.
I mean you need to send the WINS server info so you can get NetBIOS resolution. i.e. \\someserver instead of \\server.ip.address.here.
What are you doing to implement [Win2k x509 IPSec]?
This is where I got started. I was most confused when creating the certificates, and later (on win2k) when I realized that the software it asks you to install is just a wrapper for the code win2k already has.
-
Re:Commercial VPN client.....
What sucks is they dropped the commercial VPN client totally, the freeware version is still around (or was a couple weeks ago) but it only supports machine to machine, no machine to network connectivity, that was only in the commercial version.
That doesn't suck at all, unless you're using Win95/98. Win2k has built in IPSec and it works quite well with FreeS/WAN (I am using it every day). vpn.ebootis.de (funny name, great documentation) shows you how to patch FreeS/WAN to use X/509 certs, and how to generate the certs, and how to make win2k and FreeS/WAN play nice together. PGPNet for Win2k was a little bit of a goofy thing.
-
Re:IPSEC
First, "use IPSec" is easy to say, but have you ever actually set it up? It's far easier said than done.
<cough>bullshit<cough>
I just went through it. Linux-Linux IPSec is literally a walk in the park. Linux-Win2k IPSec is proving more difficult but not by much. The trick is to use x.509 certificates and use Win2k/XP's built in IPSec. vpn.ebootis.de has a little package which wraps around Win2k/XP's MMC and makes setting up certificate-based IPSec a walk in the park. The best part is that your server doesn't change as you add clients; you just add their public keys to your ipsec.d directory and tell ipsec to reread the dir.
-
Re:Security is the biggest issue...
#2. Use IPSec
Pros: Damn secure.
Cons: CPU intensive, limited software support outside of the OSS crowd.OSS only? Win2k has support for it in its default configuration. I use this procedure to get win2k to connect to my frees/wan gateway using x.509 certificates. Piece of cake (it looks convoluted but it really easy once you do it once or twice) to set up, and lets anybody (linux, windows, mac, anyone with IPSec and x.509) on in a secure fashion.
CPU intensive? Not that I'm aware of. I'm pushing about half a T1 to another frees/wan server using a P100 on one side and a P200 on the other. Now I imagine this scales less than linearly for each client that connects, but I've been pleased with the throughput of this little computer.
-
Useful Windows/Linux VPN link
Great info on using Windows 2000/XP with FreeS/WAN here: http://vpn.ebootis.de/.
We've been using a Win2K server as our VPN server up til now. It works well enough for the 3 to 4 people who use it regularly, plus my boss and myself. We've had some problems with DNS though. Sometimes when someone VPNs in it causes the server to resolve to the VPN client's IP, even though the DNS server is configured otherwise. Go figure...