Using IPsec on the NANOG NetworkDuane WesselsThe Measurement Factory, Inc.wessels@measurement-factory.comNANOG 31May 2004NANOG 31 0 The Measurement FactoryMotivation† The wireless network makes it easy for anyone to eavesdrop.† We can encrypt (wireless) traffic locally and decrypt it onceit gets to the wires.NANOG 31 1 The Measurement FactoryNetwork DiagramThe NetSomeBigRouter192.35.169.128/25192.35.164.0/22IPsecDNSServerDHCPSQUIDNANOG 31 2 The Measurement FactoryCaveats† Does not prevent eavesdropping out on the Internet.† Traffic to/from the local subnet may not be encrypted.† Does not secure your laptop from attacks (i.e., this is not afirewall).† We are mainly interested in encryption, no so much in au-thentication.NANOG 31 3 The Measurement FactoryBig Picture† YourIPsecclientcreatesasecurityassociationwiththeIPsecserver. We’re using pre-shared keys.† Your laptop gets a secondary IP address, assigned automat-ically or manually, depending on your operating system.† Outgoing packets are encrypted if they match an IPsec Se-curity Policy Database (SPD) entry. These contain src/destaddresses and masks, port numbers, etc.† For Windows XP using L2TP, the security association usesyour primary IP address and L2TP port numbers.NANOG 31 4 The Measurement FactoryBig Picture† For Linux/BSD/Mac, the security association uses your sec-ondaryIPaddress. ThenweuseNAT/routingtrickstomakeoutgoing packets have the secondary IP address.† The ...