On Mon, 6 Feb 2006 23:49:50 +0000 (UTC), Christian Weisgerber wrote: >Christian Weisgerber <[EMAIL PROTECTED]> wrote: > >> Okay, this is as good an opportunity as any to write down what I >> did to my wireless a while ago: > >Meanwhile, ipsecctl has gained support for pre-shared key authentication. >So in 3.9, things are simpler still: > >Configure dhcpd on the gateway (172.16.1.1) to always give the same >address (172.16.1.99) to my laptop, based on its MAC address. > >Start up "isakmpd -K" on both machines. >No isakmpd configuration. None. > >On the gateway, create a one-line /etc/ipsec.conf: > >ike esp from any to 172.16.1.99 psk "secretpassphrase" > >On the laptop, create a one-line /etc/ipsec.conf: > >ike esp from ral0 to any peer 172.16.1.1 psk "secretpassphrase" > >Run "ipsecctl -f /etc/ipsec.conf" on both machines. >Congratulations, you have set up IPsec. > >Repeat the same procedure for additional wireless clients. Wait a >moment, you say, does that mean that two hosts on the wireless will >talk to each other through the IPsec gateway rather than directly? >That's right, but in infrastructure mode, i.e., if you use an access >point, the packets already cross the air twice (host 1 -> AP -> >host 2). Looping them through the gateway doesn't add appreciable >overhead. > >The wireless clients only need to talk ISAKMP (to authenticate and >renegotiate keys) and ESP to the gateway. Block everything else >on the gateway: > >block return on $wlan all >pass in on $wlan proto esp to $wlan keep state >pass out on $wlan proto esp from $wlan keep state >pass in on $wlan proto udp to $wlan port isakmp keep state >pass out on $wlan proto udp from $wlan port isakmp keep state > >Actually, there is one more thing, and it's important. With the >setup above, you will run into MTU issues with hosts behind the >gateway. The symptom is that bulk data transfers _to_ the wireless >host will be redicuously slow or stall completely. There must be >a better way, but in the meantime TCP MSS clamping on the gateway >works: > >scrub in on enc0 all max-mss 1318 > >As far as pf is concerned, all decoded IPsec traffic is from the >enc0 interface. If you use the "antispoof" directive, make sure >to add a pass rule for traffic on enc0. >
I see no reason why you should be able to answer this question as I don't expect you to know about how windows does things but on the off-chance that you or a kind lurker does know: Is there a way to let a client using XP connect as simply as that? Alternatively, as windows is rarely simple, a way to let XP connect to the same setup? Thanks, Rod/ >-- >Christian "naddy" Weisgerber [EMAIL PROTECTED] > > >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
