Background:

Wireless networks are nice, especially if you have a laptop. They are inherently insecure though. WEP can be easily cracked. There are papers all over the internet, as well as utilities that allow anyone running unix/linux to sniff about an hour's worth of packets, and recover a WEP key from them.

Under FreeBSD, the wireless network card support is evolving quickly compared to the speed of other aspects of the system. I determined that instead of buying a wireless access point for about $100, one could purchase a $35 wireless network card based on the prism chipset and use it almost exactly like a wireless access point. (I got the D-Link DWL 520 for Christmas. Note the DWL 520+ will not work, it is based on a TI chipset not currently supported by the wi driver)

I say almost because the driver currently does not support (at least in a stable manner) WEP when in access point mode (HOSTAP mode). If you use WEP in HOSTAP mode, but it will lock up the card and quite possibly the system.

The wi driver does support your most basic AP functionality, such as full 11mbps speed (selectable), but it can also work as a regular wireless network card. When running as a standard wireless network card (BSS mode), WEP is supported. (but I haven't verified it to work) This is nice because I am lucky enough to have a high speed ethernet source in my room, as well as access to a high speed wireless signal. This will allow me to run FreeBSD on the ethernet connection with the wireless card in HOSTAP mode, and if the ethernet dies, I can disable the HOSTAP mode and connect the server to the wireless signal. This redundancy is beautiful. (and yes, I do realize how lucky I am having 2 free sources of high speed internet ;)

Security:

WEP is useless. It doesnt' work with the wi driver (as of this writing), and it can be broken easily. There is another solution to WEP. IPsec is a much better form of encryption, and can be used in a manner very similar to WEP.

The system can be set up to only allow IPsec encrypted packets through on a certain interface via the firewall. For my setup, this interface is the wi0 interface (my $35 wireless network card). For those unfortunate ones who actually own a wireless access point, you can get a crossover cable and plug it directly into a network card in your unix machine, allowing you to run a secure IPsec wireless network.

From what I have read, IPsec tunnel mode is supported nativly in Windows XP and Windows 2K. You may need to download the latest high-encryption version of the most recent service pack. I have not tested windows 2K.

FreeBSD (server) Setup

In the Kernel:

In your kernel conf file, be sure you have :

compile, install, and reboot.

Required Ports:

Racoon is required to operate with windows. If you dont want to operate with windows machines, you can use a static key and not install racoon, but since this article is about operating with windows, install it!

cd /usr/ports/security/racoon

make install

make clean

place 'ipsec_enable=YES' in /etc/rc.conf. (configures the kernel's ipsec tables at starup)

For windows XP clients, In /etc/ipsec.conf:

spdadd 0.0.0.0/0 192.168.17.106/32 ip4 -P out ipsec
esp/tunnel/192.168.17.100-192.168.17.106/require;
spdadd 192.168.17.106/32 0.0.0.0/0 ip4 -P in ipsec
esp/tunnel/192.168.17.106-192.168.17.100/require;

For windows 2K clients, In /etc/ipsec.conf:

spdadd 0.0.0.0/0 192.168.17.106/32 any -P out ipsec
esp/tunnel/192.168.17.100-192.168.17.106/require;
spdadd 192.168.17.106/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.17.106-192.168.17.100/require;

192.168.17.106 is my client, 192.168.17.100 is my server. You will need 2 lines like this for every client you use. This is known as a leaf-node tunnel setup. The lines read something like:

Traffic with a src address matching the mask 0.0.0.0/0 (any traffic) and a destination matching the mask 192.168.17.106/32 (only traffic to 192.168.17.106) should be handled by IPsec code, and sent down the tunnel specified by the source address 192.168.17.100 and destination address 192.168.17.106, and it should require encryption.

Notice there are 2 lines, one for incoming packets and one for outgoing packets.

In /usr/local/etc/psk.txt, you will place a secret key for each of the clients! This setup is most secure if you keep this passphrase a SECRET! If you are worried about users not keeping the passphrase a secret, you can use certificates instead, but that method is not covered here.

In /usr/local/etc/racoon.conf, you will configure the key exchange with a windows client.

Leave the Padding section alone. . You should comment out the lines not dealing with an anonymous connection, and change certain lines of the listen, anonymous, and timer sections to resemble these:

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
        #isakmp ::1 [7000];
        isakmp 192.168.17.100 [500];
        #admin [7002];          # administrative's port by kmpstat.
        strict_address;         # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 90 sec;
        phase2 60 sec;
}

remote anonymous
{
   exchange_mode main,aggressive,base;
   #doi ipsec_doi;
   situation identity_only;

   #my_identifier address;
   #my_identifier user_fqdn "sakane@kame.net";
   #peers_identifier user_fqdn "sakane@kame.net";
   ##certificate_type x509 "mycert" "mypriv";

   #nonce_size 16;
   lifetime time 1 hour; # sec,min,hour
   #passive off;
   #initial_contact on;
   #support_mip6 on;
   proposal_check obey; # obey, strict or claim

   proposal {
     encryption_algorithm 3des;
     hash_algorithm sha1;
     authentication_method pre_shared_key ;
     dh_group 2 ;
   }
}


sainfo anonymous
{
   pfs_group 2;
   lifetime time 30 min;
   encryption_algorithm 3des;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate ;
}

Now you can start racoon. Note, you should always have you kernel IPsec tables set up before you start racoon. Here's a script I wrote to start or restart racoon correctly:

#!/bin/sh
/usr/sbin/setkey -FP
sleep 1
/usr/sbin/setkey -F
sleep 1
/usr/sbin/setkey -f /etc/ipsec.conf
sleep 1
/usr/sbin/setkey -DP
sleep 1
/usr/local/etc/rc.d/racoon.sh stop
sleep 1
/usr/local/etc/rc.d/racoon.sh start
echo ""

You should also set up your /etc/syslog.conf to log output from racoon:

then run: touch /var/log/daemon-info.log

then run: killall -HUP syslogd to have syslog reload its config files.

you should also set up /etc/newsyslog.conf to rotate your new logfile:

Windows (client) Setup

Run the mmc, add the "IP Security Monitor" and "IP Security Policy Management" snap-ins. Right click on "IP Security Policies on Local Computer", choose "All Tasks", and "Create IP Security Policy".

In the wizard, enter a name for the new IP Security Policy, like "IPsec 802.11B link to Server". Do not "Activate the default response rule". Do "Edit Properties".

You are now presented with "IP Security Rules:" list. Click Add. Choose the tunnel endpoint option, and enter the IP address of your server (for me 192.168.17.100). Choose "All network connections" as the network type. Choose "Use this string to protect the key exchange (preshared key)" and enter the some_long_and_complex_passphrase you used above on your server.

You are now presented with a list of "IP filter lists". Click Add. Name the new filter something like "Outbound 802.11B traffic at home". Click Add to add a new filter. Choose "a specific ip address" and enter the IP address given to your wireless network card by dhcp on your server. (for me, 192.168.17.106). For the destination address, choose "Any IP Address". Protocol type should be any. Select 'edit properties'.

You are now presented with the properties of the "Outbound 802.11B traffic at home" filter. De-Select "Mirrored..." Click ok to accept changes. Click ok to complete your IP filter list. Select your new filter from the list of ip filter lists. Click next. Select 'Require Security', and click Edit. Security methods should be set to "Negotiate security". Remove all the methods from the list, and click add. Choose custom, and click settings. Turn off 'AH', Turn on 'ESP', and set integrity algorithm to 'sha1', and set Encryption Algorithm to '3DES'. Leave session key settings alone. Press OK to accept changes. At the bottom, make sure all 'Accept unsecured communications' are disabled, and OK again to accept security method.

You are again under the 'Require Security Properties' window. At the bottom, make sure all 'Accept unsecured communications' are disabled. Disable PFS. Click OK to accept security properties. Click next, and select finish.

You are now back to your server properties, showing the list of rules for your connection. You need to click add to add another rule for inbound traffic. Choose the tunnel option, and specify an ip address of your local wireless network card. (for me 192.168.17.106). Choose 'All network connections' as the network type. Enter the same preshared key. Add a new 'IP filter list', name it 'Inbound 802.11B traffic at home'. Its source address should be 'Any IP Address', and its 'Destination address' should be your IP address. (for me, 192.168.17.106) Choose Any for protocol, edit properties, and remove the mirrored option. Be sure 'Inbound traffic from server' is highlighted, and click next. Choose require security, and click next.

You should be back at your server properties again. Switch to the General tab. Set 'Check for policy changes every:' to 0 minutes. Click Advanced under key exchange settings. Disable PFS. For Authenticate and generate the new key after every, use 30 in the minutes box and 0 in the sessions box. Click Methods under 'protect identities with these security methods'. Remove all but "IKE 3DES SHA1 MEDIUM". Click OK, OK, OK and you are finished.

You should now have 2 IP security traffic rules, you can click apply and ok. Right click on your new security policy and choose assign. Now restart the IPsec service.

Notes

You should now be able to run the racoon startup script above, restart the windows IPsec service, and from a command box on the windows machine try to ping the server. You should see something like 'negotiating security', and then replies to your pings. (assuming I didn't leave anything out of this paper)

You should firewall all but IPsec packets using your firewall script. In mine, I blocked all clear IP packets accept the ones to handle DHCP serving, and allowed the esp packets through. Then I programmed my DHCP server with static IP addresses.

Both MD5 and SHA1 hash methods work, as well as DES and 3DES authentication methods. I chose SHA1 AND 3DES, because a quick scan on google groups showed SHA1 to be better than MD5.

You should make sure that you set the power management on both the client machines and the server. Using auto has caused problems in the past resembling a connection that works for a few seconds, and becomes very flaky. Currently I run both server and clients with powersave mode disabled.