IPSec, is it possible?

[Jens Ropers]

> From: "MK" <public at kubikcz.net>
> Subject: IPSec, is it possible?
>
> Hello
>
> I would like to know if there is a way for traffic encryption between my
> computer, which is directed through my OpenBSD(NAT), to the internet.
> My situation is following:
>
> intranet ---- OpenBSD(NAT) --- internet
>
> It is obvious that anybody on the intranet can sniff my traffic and of
> course I don't like it. I was thinking about IPSec, so traffic from my PC
> could be encrypted and then decrypted by OpenBSD and directed to it's final
> destination.

Correct me if I'm wrong, but the way I understand you, what you're
trying to do is this:

YourPC <---[intranet]---> OBSD(NAT) <---[Internet]---> whateverSrvYouTalkTo

traffic between YourPC and OBSD(NAT) = encrypted
traffic between OBSD(NAT) and whateverSrvYouTalkTo = unencrypted

> From: Olivier Debr? <pyrrhocorax at free.fr>
> Subject: Re: IPSec, is it possible?
>
> Let's see. You mean you want to encrypt between your pc, situated on
> what you call an intranet, and your OpenBSD gateway, right? In turn,
> this means to me that you care about people around you peeking on your
> traffic, and not those outside. Okay.
>
> Message: 3
> From: "MK" <public at kubikcz.net>
> Subject: Re: IPSec, is it possible?
>
> I have Windows XP SP2 installed, IPsec should not be problem.
>
> I was considered following situation. Let's say that interface on OpenBSD
> gateway which leads to LAN has IP address 192.168.0.1 and my PC has
> 192.168.0.2. For my PC is gateway on 192.168.0.1 and if I create IPsec
> tunnel between 192.168.0.1 and 192.168.0.2 only the traffic between these
> two points will be encrypted at least I think. In case I will want to access
> the internet from my PC the destination won't be address 192.168.0.1 but IP
> of the server placed in internet.
> In this case the traffic will not be encrypted, am I right or am I still
> missing something.

I am actually quite clueless myself, but the way I understand things,
you would use whatever IPsec/VPN software you use on your Windows box
and configure that to send all traffic through the tunnel. So the
tunnel is the default gateway and you might even disallow the Windows
box to talk to anyone except through the tunnel. That part however you
need to configure on the Windows box, by setting up whatever software
you chose to use there, and I can't really help there.

> Message: 4
> From: Olivier Debr? <pyrrhocorax at free.fr>
> Subject: Re: IPSec, is it possible?
>
> P.S. : BTW, on you LAN, on which you're afraid of others peeking at your
> traffic, is the risk really that high? Are you still using hubs instead
> of switches? Are those guys skilled enough to sniff in promiscuous mode?
> ARP redirect? If yes, okay, okay, but still, ask yourself the question.
> Security means using commensurate means as compared to the risk.

Very true.
It would be hard to say the least to get at any of your traffic if
you're using a switch, because the switch, unless it's itself somehow
h4x0r3d would not normally send that traffic down another tube^W
cable. Essentially using a switch makes every cable attached to the
switch into a seperate network segment.

Cheers,
ropers