IPsec wifi link in ad-hoc mode

Hello.

I set up my two laptops to communicate in wifi ad-hoc mode.???

One of the laptops (192.168.1.3) acts as a router and a DNS server for the
other (192.168.1.4).

As I don't want anybody to use my router as a gateway, I must secure it.

I enabled a WEP encryption key between the two of them, but it's hardly
extremely secure.

So I set up an IPsec link between them; it works ok, but I don't know if
it's enough to guarantee that nobody can hijack my connection, using my
gateway to spam/spoof/etc.

How can I make sure that only 192.168.1.4 connects to 192.168.1.3? Must
I/can I do IP filtering? MAC addresses filtering?

If yes, how do I do that?

Thanks!

--
Fabrice DELENTE

On Thu, 25 Sep 2008 17:51:28 +0000, Fabrice Delente wrote:
> I set up my two laptops to communicate in wifi ad-hoc mode.???
>
> One of the laptops (192.168.1.3) acts as a router and a DNS server for
> the other (192.168.1.4).
>
> As I don't want anybody to use my router as a gateway, I must secure it.
>
> I enabled a WEP encryption key between the two of them, but it's hardly
> extremely secure.

Why not switch to TKIP/WPA or WPA2? As you're talking about laptops, this
should be doable (it wouldn't if you had an old AP that only supports
WEP).

> So I set up an IPsec link between them; it works ok, but I don't know if
> it's enough to guarantee that nobody can hijack my connection, using my
> gateway to spam/spoof/etc.

As long as the laptop acting as AP only accepts IPSec traffic (more
specifically, authenticated IPSec traffic) you should be quite safe.
However, wireless networks are still quite vulnerable to other types of
attacks (for instance, even with WEP/WPA/WPA2, one can still force
clients to disconnect even without prior knowledge of the keys).

> How can I make sure that only 192.168.1.4 connects to 192.168.1.3? Must
> I/can I do IP filtering? MAC addresses filtering?

IP filtering and MAC address filtering are just small bandages and are
easy to spoof.

Wkr,
Sven Vermeulen

Sven Vermeulen <(E-Mail Removed)> wrote:
> Why not switch to TKIP/WPA or WPA2? As you're talking about laptops, this
> should be doable (it wouldn't if you had an old AP that only supports
> WEP).

I read things about wpa_supplicant but didn't get to understand if it's
possible to use in ad-hoc mode.

> As long as the laptop acting as AP only accepts IPSec traffic (more
> specifically, authenticated IPSec traffic) you should be quite safe.

None of the laptops is an AP. They are both in ad-hoc mode.

Thanks!

--
Fabrice DELENTE

On Fri, 26 Sep 2008 05:54:24 +0000, Fabrice Delente wrote:

> I read things about wpa_supplicant but didn't get to understand if it's
> possible to use in ad-hoc mode.

Apparently it isn't made for ad-hoc mode usage.

But your initial thoughts of using IPSec does provide a lot of security
already. You can also try to use VPN solutions such as OpenVPN (which
might be easier to manage than IPSec).

Wkr,
Sven Vermeulen

Sven Vermeulen <(E-Mail Removed)> wrote:
> But your initial thoughts of using IPSec does provide a lot of security
> already. You can also try to use VPN solutions such as OpenVPN (which
> might be easier to manage than IPSec).

Setting up IPsec wasn't that hard; what I didn't understand is, if there is
an IPsec link between 192.168.1.3 (the router) and 192.168.1.4, can a
machine with IP 192.168.1.5 still connect to 192.168.1.3, and use its
routing facilities?

--
Fabrice DELENTE

Maxwell Lol <(E-Mail Removed)> wrote:
> We built an ad hoc network a few years ago. I think we had to
> broadcast all packets to work around the issue.

I don't understand, could you explain what you mean?

--
Fabrice DELENTE

Maxwell Lol <(E-Mail Removed)> wrote:
> Well, normally a packet is received by the client when it is addressed
> to the client. If you are A, and want to send a packet to B that will
> forward it to C, you can't simply put C's IP address as the
> destination. B will never see it as the address doesn't match.
>
>
> But by setting the broadcast bit at the MAC layer, B will receive the
> packet, and see that it should go to C.
>
> It's been 5 years. I'm a little fuzzy on the details.
>
> Or else B had to be put in promiscuous mode, so it received all
> packets. It was something like that...

Ok, thanks. However it's a technique I've never seen before, so I think I'll
stick to something simpler :^)

--
Fabrice DELENTE

Sven Vermeulen <(E-Mail Removed)> wrote:
> But your initial thoughts of using IPSec does provide a lot of security
> already.

If I undertood correctly, it provides security on the
192.168.1.3<->192.168.1.4 link; that is, anybody wanting to talk to
192.168.1.4 that has IP 192.168.1.3 wont succeed unless he identifies
correctly through the IPsec layer, right?

If yes then my question is: is somebody connecting to 192.168.1.3 with IP
192.168.1.5 will be refused because he didn't use the IPsec link?

--
Fabrice DELENTE