An example of the usage of wireless LAN technologyfor multimedia: see Berlin live!
News
People
Research
Papers
Teaching
Resources
Location


Intern
TKN - Telecommunication Networks Group TU-Berlin
Head of Group: Prof. Adam Wolisz Faculty of Electrical Engineering and Computer Science

SecureWLAN software users' manual

SYSTEM INSTALLATION OVERVIEW

Welcome to the WLAN software installation tutorial. This document will guide you through some initial installation and configuration steps, after which you will be able to run the software. There are 2 programs:

  • WLANServer: This piece of software runs on the Security Gateway, that is, the computer that connects the WLAN with the wired network. You must unpack the file WLANServer-installer.zip in a directory in the Security Gateway, and go through a few initial configuration steps:

    • Download IPSECPOL
    • Enable IP forwarding
    • Run InitialIPSecConfigurator.exe (only once!)
    • Run SGNameConfigurator.exe (only once!)
    • Run RandomInit.exe (at least this first time)
    • Edit the server.conf file with the clients' information

  • WLANClient: this program will run on each Mobile Node. You must unpack the file WLANClient.zip in a directory in the Mobile Node, and go through some initial configuration steps:

    • Download IPSECPOL
    • Run RandomInit (at least this first time)
    • Edit the client.conf file with the WLANs' information

In the following sections, all this steps will be thoroughly explained.

THE MOBILE NODES: Initial Configuration

Once you have unpacked the client program files into a directory (installation directory from now on), and before you run the WLANClient, you will need to accomplish some initial configuration steps:

  1. Additional sofware: You need to download yourself the IPSECPOL tool. This program can be downloaded from the Free Tool Downloads site of the Windows 2000 Resource Kit. You must copy the files (ipsecpol.exe, ipsecutil.dll and text2pol.dll) to the installation directory.

  2. Random source: For this, please run the program RandomInit.exe (present in the installation directory). This application will ask you to type 100 random keystrokes. It does not matter if what you write makes sense or not: just type randomly 100 keys (different keys and speeds). This will provide the application with a fairly good random basis to generate non-predictable random numbers to exchange with the server. The result is stored in a file called wlan.seed, in the installation directory. This step needs to be done only once, but it is still recommended to repeat this random generation from time to time. It will refresh your random source, and therefore strengthen the protocol's security.

  3. Client database: This file (client.conf) must also be present in the installation directory and stores the data regarding the different WLAN's in which the client is presumed to be working. It consists on one set of four, three or two (as it will be explained) values for each WLAN. For each WLAN in which the user is registered, a new set must be entered with the corresponding data. These values are:

    • SGName: This is the name of the Security Gateway, which identifies the WLAN

    • DefaultGatewayTag: For non-English installations, you will need to enter here how the "ipconfig.exe" program calls the Security Gateway feature (in English, it is "Security Gateway", in German "Stardardgateway"...etc). In any other case, this field is to be omitted.

    • MNName: If the client should have a different name within the WLAN indicated by SGName, it is stated here. This tag is used in order to avoid client name-collisions: if the client host name is already in use in this WLAN, the WLAN Administrator will provide him with an alternative one, valid only for that local WLAN. That is the name to be written here. In any other case (that is, if the hostname is not already in use in the WLAN), this field is to be omitted. The default MNName is the Mobile Node's host name (which can be found out by typing in a DOS prompt the command "hostname").

    • PSS: Security Gateway and Client hold a preshared secret, called the PSS. This preshared secret should be stored in this line.

    You will need to edit this file yourself. This file needs to be updated each time you want to register your Mobile Node in a new WLAN. In that case, you will have to enter the SGName, MNName (if necessary) and PSS fields for the new environment at the end of the file.

    NOTE: Please note that the names of the tags must be exactly the same, and that they are case sensitive. The brackets embracing the data are also necessary. The order of the tags must be respected for each entry.

    Example:

# Name of the SG
SGName = "hancock"
# Corresponding name of the MN
MNName = "baker"
# Preshared secret
PSS = "Secretito secretito..."

# Name of the SG
SGName = "Other"
# Preshared secret
PSS = "Secretito secretazo..."
In the WLAN in which the Security Gateway is called "hancock", this client's host name (for example "user") was already in use (client name collision). He was therefore assigned a new one, "baker", which is valid only for that WLAN. PSS is their preshared secret string.

On the other hand, in the WLAN "Other", no other user has already taken the Mobile Node name (in our example, "user"). That is why he does not need an alternative MNName. In this case, this tag is ommited.

Comments are preceded by a # character. These lines are ignored by the program, but are helpful to make annotations regarding the different WLAN environments. The values must be entered between brackets for the application to recognize them. This file can be edited with a simple, plain wordpad or notepad available in Windows.

If the installation was in a language different than English, say German, the second entry would be:

SGName = "Other"
DefaultGatewayTag = "Standardgateway"
PSS = "Secretito secretito..."

When these two pieces of information (wlan.seed and client.conf, the names are mandatory!) are ready and present in the installation directory, the client can be started.

THE MOBILE NODES: Running the Client

After the initial steps explained before have been accomplished, the configuration will be complete. From now on, you need not repeat them. The next times, you will just want to run your WLANClient, ignoring the client.conf (unless you want to register your Mobile Node in a new WLAN) or the RandomInit.exe application.

This step is as easy as it sounds: just run WLANClient.exe in the installation directory from the command prompt or from a navigator, and the client will do the rest. If no errors occur during the communication with the WLANServer process (running at the Security Gateway), the corresponding IPsec settings will be updated in your computer. From that moment on, your IP communications over the WLAN will be secured.

WLANClient.exe expects some command-line arguments:

WLANClient  -f  filename  -p  port

Example: WLANClient  -f  ipsec.txt  -p  8899

  • filename: filename is the file where some additional ipsecpol (ipsecpol.exe is a freely downloadable tool from the Microsoft Resource Kit aimed at the automatic configuration of IPsec policies) commands have been introduced by the users. This commands are intended to make the users' default IPSec settings compatible with the new policy. It is only necessary that in the ipsecpol commands of this file, the IPSec policy name coincides with the defaul name of the policies created by the WLANServer and WLANCLient programs (the name is  "SECURE_WLAN"). The whole path of the file is expected. This argument is optional.

  • port: port is the UDP port that must be used by the WLANClient. By default, it is 58612. However, this port might be already in use in some environments by other applications. In this case, this option allows the users decide which port to use (it is very important to make sure that the WLANServer is also running on that port; otherwise, it will be unreachable by the WLANClient). This argument is optional.

THE MOBILE NODES: Disconnecting the Client

If you want to switch off the WLAN IPSec policy because you are exiting the Security Domain, you can run WLANDisconnect.exe. This application, WLANDisconnect.exe, disactivates the previous IPsec policy (that is, the active policy for the last visited Security Domain) and activates a "default" IPsec policy that essentially allows what the user decides. In this sense, there are two possibilities:

  • "Allow everything" policy: if no command line arguments are entered, the program activates a default IPSec policy that allows the exchange of traffic with any other entity (any other IP address) without applying security measures. 

  • "Allow what the user decides" policy: of course, more conservative users would prefer to limit that default policy. This is accomplished by entering as a command line argument a file that contains additional rules to be added to the "default" IPsec policy. It must be an ipsecpol-compliant file with the additional ipsecpol commands to be executed in order to tune the "default" IPsec policy according to the user's specific security needs. Users must just be careful to design this file bearing in mind that the "default" IPsec policy is named "DEFAULT_WLAN" (the ipsecpol commands should add the extra rules to this policy).

This program takes one command line argument:

  • -f filename: where filename is the ipsecpol-compliant file containing the extra rules to be added to the "default" IPsec policy ("DEFAULT_WLAN"). This parameter is optional. If is not entered, the activated policy will be of the type "Allow everything" and if it is entered, the policy will be of the type "Allow what the user decides". 

However, the program performs no control over the contents of this file: it is the user's resposibility to enter valid ipsecpol commands that make sense and that result in a viable IPsec policy.

THE SECURITY GATEWAY: Initial Configuration

Once you have unpacked the server program files into a directory (installation directory from now on), and before you run the WLANServer, you will need to accomplish some initial configuration steps:

  1. Additional sofware: You need to download yourself the IPSECPOL tool. This program can be downloaded from the Free Tool Downloads site of the Windows 2000 Resource Kit. You must copy the files (ipsecpol.exe, ipsecutil.dll and text2pol.dll) to the installation directory.

  2. Enable IP forwarding. In the Security Gateway, IP forwarding must be enabled for the Security Gateway to act as a router. To accomplish this, there are two possibilities:

    • Use the "registry file" EnableRouting.reg shipped with the server's software bundle (double click on it, and the Windows registry will be automatically updated).

    • Update the Windows registry yourself (which is considered as a risky practice). A manual on how IP forwarding can be enabled is found here.

  3. Initial IP address blocking: all the IP addresses in the WLAN subnet must be previously blocked, so that only registered users can access the Security Gateway. For that, run the program "InitialIPSecConfigurator.exe". It expects some command-line arguments:

    InitialIPsecConfigurator  -interface  ip:port  -f  file  -min  min  -max  max

    Example: InitialIPsecConfigurator  -interface  172.12.1.1:58612  -f  base_stations.txt  -min  2  -max  254

     

    • ip:port: after the ``-interface'' tag, a value for the IP interface of the WLANserver must be entered. This argument is compulsory, and it consists of the IP address and the UDP port on which the Security Gateway listens for the incoming clients' requests, separated by a colon (``:'') character. By default, the UDP port used by WLANServer and WLANClient is 58612, so it is the value which should normally be entered here. However, in some cases this port may be already in use and another port needs to be used (and specified in this command line argument).

    • file: after the ``-f'' tag, a file name can be entered. In this file, the IP addresses that do not have to be blocked (or those that must be unblocked) are listed (one per line). These addresses typically would correspond to those of the Base Stations. This argument is optional.

    • min: after the ``-min'' tag, an integer value between 1 and 255 must be entered. This is the lowest IP address which will be blocked. For example, is the WLAN subnet is 172.12.1.*, the blocking loop will begin in 172.12.1.min. This argument is optional, but if it is entered, then the -max argument is compulsory.

    • max: after the ``-max'' tag, an integer value between 1 and 255 must be entered. This is the highest IP address which will be blocked. For example, is the WLAN subnet is 172.12.1.*, the blocking loop will end in 172.12.1.max. This argument is optional, but if it is entered, then the -min argument is compulsory, and it must be smaller than the -max value.

    It will take a while to close all the WLAN IP addresses.

    This program accepts yet another option. If the network administrator needs to remove the IPSec policy in a permanent way (that is, it would not be recoverable), it is necessary to call the program:

    InitialIPSecConfigurator  remove

    This will permanently remove the IPSec policy "SECURE_WLAN" from the Security Gateway.

  4. Security Gateway Identifier: In order to avoid collisions of Security Gateways' names, this program (SGNameConfigurator.exe) will take your host's name, and add it some random bytes at the end, based on random information. This application will ask you to type 100 random keystrokes. It does not matter if what you write makes sense or not: just type randomly 100 keys (different keys and speeds). This will provide the application with a fairly good random basis to generate a random name extension for your Security Gateway. The identifier generated will be saved as plaintext in the file securitygateway.id. This identifier is the name by which the SecurityGateway (and therefore the WLAN) is uniquely identified for a Mobile Node. You must run this program ONLY ONCE before the programs first run, and not afterwards, since it would change your Security Gateway's identifier, by which all the clients recognize it.

  5. Random source: For this, please run the program RandomInit.exe, present in the installation directory. This application will ask you to type 100 random keystrokes. It does not matter if what you write makes sense or not: just type randomly 100 keys (different keys and speeds). This will provide the application with a fairly good random basis to generate non-predictable random numbers to exchange with the client. The result is stored in a file called wlan.seed, in the installation directory. This step needs to be done only once, but it is still recommended to repeat this random generation quite usually, since this random source will be used very often (in fact, every time a client establishes a connection to the Security Gateway). It will refresh your random source, and therefore strengthen the protocol's security.

  6. Client database: This file (server.conf) must be present in the installation directory and stores the data regarding the different WLAN's in which the client is presumed to be working. It consists on one set of two values for each WLAN. For every client that is to be registered in the WLAN, a new set of values is to be entered with the corresponding data. These values are:

    • MNName: This is the name of the Mobile, which identifies the incoming client

    • PSS: Security Gateway and Client hold a preshared secret, called the PSS. This preshared secret should be stored in this line.

    You will need to edit this file yourself. This file needs to be updated each time you want to register a Mobile Node in your WLAN (for your Security Gateway).

    NOTE: Please note that the names of the tags must be exactly the same, and that they are case sensitive. The brackets embracing the data are also necessary.

    Example:

    # The name of the Mobile Node
    MNName = "mn1"
    # Preshared secret of mn1 with the Sec. Gateway
    PSS = "preshared_mn1_sg12345"

    # The name of the Mobile Node
    MNName = "julian"
    # Preshared secret of mn1 with the Sec. Gateway
    PSS = "pss von julian"
    		This Security Gateway has two registered users (Mobile Nodes). The first is called "mn1", and his preshared secret with this Security Gateway is "preshared_mn1_sg12345". The second user's hostname is "julian", and his preshared key with this Security Gateway is "pss von julian".

    Comments are preceded by a # character. These lines are ignored by the program, but are helpful to make annotations  regarding the different clients. The values must be entered between brackets for the application to recognize them. This file can be edited with a simple, plain wordpad or notepad available in Windows.

     

When these two pieces of information (wlan.seed and server.conf, the names are mandatory!) are ready and present in the installation directory, the server can be started.

THE SECURITY GATEWAY: Running the Server

After the initial steps explained before have been accomplished, the configuration will be complete. From now on, you need not repeat them. The next times, you will just want to run your WLANServer, ignoring the server.conf file (unless you want to register your Mobile Node in a new WLAN) or the RandomInit.exe, SGName or InitialIPSec applications.

The WLANServer application listens for the clients' incoming requests, negotiates with them the network access, and eventually configures an IPsec tunnel to their IP address. To run it, type  WLANServer.exe (in the installation directory) from the command prompt or from a navigator, and it will start listening. If no errors occur during the communication with each WLANclient process (running at the Mobile Nodes), the corresponding IPsec settings will be updated in the Security Gateway. From that moment on, the IP communications of the client over the WLAN will be secured.

The usage of the program is:

WLANServer  -ip  ipaddress  -f  filename  -p  port

WLANServer  - ip  172.12.1.1  -f  ipsec.txt  -p  8899

  • ipaddress: the IP address of the IP interface on which the Security Gateway is listening for the incoming clients' requests. This argument is compulsory.

  • filename: the file where some additional ipsecpol (ipsecpol.exe is a freely downloadable tool from the Microsoft Resource Kit aimed at the automatic configuration of IPsec
    policies) commands have been introduced by the users. This commands are intended to make the users' default IPSec settings compatible with the new policy. It is only necessary that in the ipsecpol commands of this file, the IPSec policy name coincides with the defaul name of the policies created by the WLANServer and WLANCLient programs (the name is "SECURE_WLAN"). The whole path of the file is expected. This argument is optional.

  • port:  port is the UDP port that must be used by the WLANServer. By default, it is 58612. However, this port might be already in use in some environments by other applications. In this case, this option allows the administrator decide which port to use (It is very important to make sure to let the users know on what port the Security Gateway is listening; otherwise, it will remain unreachable for the WLANClients). This argument is optional.

THE SECURITY GATEWAY: Running the Server as an NT Service

It is very convenient to install the WLANServer as an NT service in the Security Gateway. This allows to run the WLANServer even if no Security Gateway user is logged in. In order to install a program as an NT service, it is necessary to use two tools called INSTSRV and SRVANY (download them here and place them in the installation folder). The Windows registry must also be updated. Users are prevented from using these tools and manually updating the Registry (which is a risky practice) with the tool WLANService.exe.

It installs the WLANServer.exe as an NT service, so that when the Security Gateway is turned on, WLANServer starts running, although no user is logged in. Users must be careful to change the account on which the service is running once the WLANServer is installed as service, in order to restrict the permissions of the process. It can be found under the name "WLANServer". The+ service startup must also be configured (at startup, at logon, etc.). This can be accomplished in the folder Settings/Control_Panel/Administrative_Tools/Services. 

The application accepts a series of command line arguments:

  • -ip ipaddress: ipaddress is the IP address of the IP interface on which the Security Gateway is listening for the incoming clients' requests. This argument is compulsory.

  • -f filename: filename is the file where some additional ipsecpol commands have been introduced by the users. This commands are intended to make the users' default IPSec settings compatible with the new policy. It is only necessary that in the ipsecpol commands of this file, the IPSec policy name coincides with the defaul name of the policies created by the WLANServer and WLANClient programs. The whole path of the file is expected. This argument is optional. 

  • -p port: port is the UDP port that must be used by the WLANServer. By default, it is 58612. However, this port might be already in use in some environments by other applications. In this case, this option allows the administrator decide which port to use. This argument is optional. 


If the Security Gateway administrator wishes to remove the WLANServer as an NT service, the application accepts the command line argument "remove" (WLANService remove). This call deletes the corresponding Windows registry's branch, uninstalling the WLANServer as NT service.

Home


Questions? Contact webmaster.

Contents subject to change. All rights reserved.
Mit dem Urteil vom 12. Mai 1998- 312 O 85/98- "Haftung für Links" hat das Landgericht Hamburg entschieden, daß man durch die Anbringung eines Links, die Inhalte der gelinkten Seite ggf. mit zu verantworten hat. Dies kann nur dadurch verhindert werden, daß man sich ausdrücklich von diesen Inhalten distanziert.
"Hiermit distanzieren wir uns ausdrücklich von allen Inhalten aller extern gelinkten Seiten auf unserem Server und machen uns diese Inhalte nicht zu eigen. Diese Erklärung gilt für alle auf unserem Server angebrachten externen Links."