Hi,
so a few hours ago I was trying for the Nth time to debug the crappy
Windows IPSEC client I had settled on using (sleep/hibernation issues), so
I thought I'd check the lists to see if WPA was coming along.. It's rained
cats and dogs before, right? .. Damien has gotten around to it!!
So while my 5501 is building -current, I'm wondering if anyone has done any
throughput/load testing yet?
Will the CCMP implementation use the geode's AES support (glxsb)?
Or will it use hardware in the wifi card (ral here) for the crypto?
I've gotten the setup to a point where I'm happy keeping my linux hosts off
the wire throughput-wise using IPSEC over the wifi. The Windows hosts are a
pain to maintain and set up, so ideally I'd like to move only them to WPA
while keeping the linux hosts doing bare IPSEC over the air.
Am I right in assuming this can't be done right now? You'd probably need
multiple SSID's on one card to do this.. right?
Is there any point to still using IPSEC over a link that is already WPA'd,
from a security point of view? Given that they're both some form of PSK'd
AES..
At the moment I'm using pf + isakmp policies to make sure that only certain
IPs on the WLAN can talk to the LAN, while everyone can talk to the
internet. Is this still possible with a WPA-only setup??
How would I go about doing it, given that all WPA hosts share a single key?
Hmm.. Maybe IPSEC with only AH and no ESP? And then use pf to block non-AH
traffic from certain IPs. What is the performance impact of AH vs. no IPSEC
at all?
Thanks and please cc,
bbee
