SecureWLAN Network Layout

1. Introduction

This software was designed bearing in mind a certain network topology, and it will not work properly unless the network is exactly layed out as explained hereafter.

Every mobile node (wireless enabled workstations) establishes an IPSec tunnel to a Security Gateway (another normal workstation), which acts as the router between the mobile nodes and “the rest of the universe” (the outside wired LAN, the Internet…), as well as the IPsec association counterpart for every mobile node. This can be viewed in the following picture:

Figure 3 Scenario and Tunnel Configuration for IPSec Protection of WLAN Traffic

If a mobile node wants to establish a communication with an IP address of the “world outside”, it has to send his packets over the IPsec tunnel to the Security Gateway, who will route them outside. If it wants to talk to another node in the WLAN, it must first send his packets to the Security Gateway, which will forward the packets to the other mobile node.

This is why tunnel mode is required: one part of the IPsec association must be obligatorily the Security Gateway, and at the same time, the Security Gateway does not necessarily have to be one of the communication endpoints. 

2. Description of the networking issues

It is a good practice to use private IP addresses inside the WLAN (in that case, a NAT device is needed on the Security Gateway or its default router if we are wishing to have access to Internet) although this is not compulsory.

For example, let us consider that the wired subnetwork in which our Security Gateway is plugged is 155.155.155.*, and that the wireless subnetwork that constitutes the WLAN is the 172.12.1.*. The Security Gateway will then need two wired-Ethernet interfaces, one for the wired subnetwork, and one to get connected to the Base Station. One of the Ethernet cards will belong to the 155.155.155.* network (say 155.155.155.62) and the other one to the 172.12.1.* (say 172.12.1.1, since it is also the default gateway of the subnet).

The Mobile Nodes can obtain their IP addresses according to different policies, but IP address collisions are to be avoided. For our project, we used a DHCP server running on the Security Gateway, but it is also possible to enter the IP addresses by hand on the Mobile Nodes' wireless adapters' connection menu.

For the example depicted above, the following steps should be taken (for more information see the software manual):

1. On the Security Gateway, the IP forwarding must be switched on. See this tutorial on that or use the registry file EnableRouting.reg (double-click it). The packets from the Mobile Nodes can now go further than the Security Gateway. 

2. On the Security Gateway: 

   1. Unzip the WLANServer-installer.zip in a folder

   2. Download the IPSECPOL files (ipsecpol.exe, ipsecutil.dll and text2pol.dll) from here and place them in the same folder

   3. Run the InitialIPSecConfigurator. For the example above, a valid call would be: InitialIPsecConfigurator  -interface  172.12.1.1:58612  -f  base_stations.txt  -min  2  -max  254. In the base_stations.txt file, the IP addresses which must not be blocked are entered (one per line). However, this practice is unsafe and not recommended. Addresses should be only unblocked for SNMP management of the Base Stations and blocked again as soon as the management task is finished.

   4. Run the SGNameConfigurator. You must run this program only once (this first and last time), since you do not want the identifier of your Security Domain to be overwritten.

   5. Run the RandomInit.

   6. Edit the server.conf file in the same folder in which you placed the other files (no subdirectories must be created in it). In this file, enter the data of the clients. The format and way to edit this file is explained here.

   7. Now the WLANServer can be started. There are two possibilities: run it as a normal program or as a service:

      • As a normal program (for the example above): WLANServer  - ip  172.12.1.1  -f  ipsec.txt  -p  58612. ipsec.txt is a file where additional ipsecpol commands are stored, and that are added to the WLAN IPSec policy.

      • As an NT service. You must first install it as an NT service. For this, download the tools INSTSRV and SRVANY from here and place them in the same folder as the rest of the components. Run WLANService. For the example above: WLANService  - ip  172.12.1.1  -f  ipsec.txt  -p  58612. ipsec.txt is a file where additional ipsecpol commands are stored. They are added to the WLAN IPSec policy. After the service is installed, you must change the account it is attached to (assign it a user's account) and select the startup type ("automatic" will start the WLANServer as soon as the machine reboots, even if no user is logged in). This can be done in the folder: Settings/Control_Panel/Administrative_Tools/Services. The installed service is called "WLANServer".

3. On the Mobile Nodes:

   1. Unzip the WLANClient-installer.zip in a folder

   2. Download the IPSECPOL files (ipsecpol.exe, ipsecutil.dll and text2pol.dll) from here and place them in the same folder

   3. Run the RandomInit.

   4. Edit the client.conf file in the same folder in which you placed the other files (no subdirectories must be created in it). In this file, enter the data of the Security Domains in which the node is registered. The format and way to edit this file is explained here.

   5. Run the WLANClient. For the example above, a valid call would be: WLANClient  -f  ipsec.txt  -p  58612. ipsec.txt is a file where additional ipsecpol commands are stored, and that are added to the WLAN IPSec policy.

Of course, this is just an example, and you should read carefully the Software Guide before installing and running the software. Further information can be found in the Project Whitepaper.

Home