Damon McMahon wrote:
Perhaps my understanding of ieee80211(9) and isakmpd(8) is awry?
I have a simple WLAN setup, where there is a combined internet
gateway/wireless AP, and several wireless nodes. I want each wireless
node to be able to connect to all others for file sharing, etc and the
connection should be over an IPsec layer.
I can think of two ways theoretically to do this:
1. Configure each host to establish an IPsec tunnel directly with the
other - i.e. peer-to-peer at the IP layer, although my understanding
of ieee80211(9) is that the connection would still be bridged through
the AP at the data-link layer.
yes. the AP will forward traffic between the stations by default.
there's currently no button to disable this behavior in openbsd
("intra-bss" blocking).
2. Route these connections through the access point at the IP layer,
since they're already being bridged through the AP at the data-link
layer.
2a) for example, on the accesspoint:
- set the ap configuration, ip address and the
aliases for each interface
ap# cat /etc/hostname.ath0
inet 10.0.0.1 255.255.255.252 10.0.0.3 \
nwid MyAP nwkey ipsecinside \
media autoselect mode 11b mediaopt hostap
inet alias 10.0.0.5 255.255.255.252 10.0.0.7
inet alias 10.0.0.9 255.255.255.252 10.0.0.11
- set the flows for each peer. any direct communication
between the peers and the gateway will be bypassed (not
encrypted) to allow the ISAKMP key exchange (a more
complicated version is possible, i.e. with additional
static flows, the "proto" keyword, ...)
ap# cat /etc/ipsec.conf
flow esp out from 10.0.0.1 to 10.0.0.2 type bypass
ike passive esp from 10.0.0.0/30 to any peer 10.0.0.2 \
dstid peer1.wlan.local
flow esp out from 10.0.0.5 to 10.0.0.6 type bypass
ike passive esp from 10.0.0.4/30 to any peer 10.0.0.5 \
dstid peer2.wlan.local
flow esp out from 10.0.0.9 to 10.0.0.10 type bypass
ike passive esp from 10.0.0.8/30 to any peer 10.0.0.9 \
dstid peer3.wlan.local
- start isakmpd and load the flows and SAs
ap# isakmpd -K
ap# ipsecctl -vf /etc/ipsec.conf
- and the intersting lines in /etc/pf.conf:
pass in on ath0 inet proto udp to (ath0) port isakmp keep state
pass in on ath0 inet proto esp to (ath0)
pass in on ath0 inet proto icmp to (ath0) icmp-type echoreq keep state
2b) ...and on the first wireless station:
- the ip address configuration
peer1# cat /etc/hostname.ath0
inet 10.0.0.2 255.255.255.252 10.0.0.3 \
nwid MyAP nwkey ipsecinside
- two lines of ipsec configuration. i use "dynamic" mode for
wireless nodes to enable DPD (dead peer detection). this improves
reconnection if the station lost wireless connectivity to the ap.
peer1# cat /etc/ipsec.conf
flow esp out from 10.0.0.2 to 10.0.0.1 type bypass
ike dynamic esp from 10.0.0.0/30 to any peer 10.0.0.1
- route everything though the ipsec gateway
peer1# cat /etc/mygate
10.0.0.1
- exchange public keys, start the daemon and load rules
peer1# scp /etc/isakmpd/private/local.pub \
10.0.0.1:/etc/isakmpd/pubkeys/fqdn/$(hostname)
peer1# scp 10.0.0.1:/etc/isakmpd/private/local.pub \
/etc/isakmpd/pubkeys/ipv4/10.0.0.1
peer1# isakmpd -K
peer1# ipsecctl -vf /etc/ipsec.conf
I'm not sure how to implement this either way and would appreciate
some advice in this regard. I guess routing through the AP makes more
sense as it will always by up wheras some of the nodes might be down
at any given time?
Any advice will be appreciated.
reyk
