Hello all...
I would like to use OpenWRT as a transparent IPSEC bridge, a.k.a. "bump in the wire". I'd like to explore how feasible this is before I go out and buy a couple of WRT54GL's to test :-)
Basically, I want to split a subnet like this:
<==== IPSEC ====>
--+-----+------- B1 -------------- B2 --+-----+-----
| | (red) | |
.1 .4 .2 .6and perform 'opportunistic' IPSEC tunneling. That is, whenever machine .1 tries to send a datagram to machine .2 (say), the packet arrives at bridge B1. If B1 already has an SA for .2, it IPSEC tunnels it. If B1 doesn't, then it sends out an IKE exchange for .2, which is intercepted by B2, responding on its behalf and negotiating an SA. When the IPSEC traffic arrives at B2 it is untunnelled and delivered transparently.
Any (or most) non-IPSEC traffic arriving on the 'red' interfaces of B1 and B2 can be discarded. Since IPSEC can't secure broadcasts (*), ARP broadcasts will probably have to be allowed through. I can live without other broadcasts. (These are Windows boxes and do unfortunately use NetBIOS to find each other, but I can deal with this, e.g. set up a WINS server instead)
(*) The scenario is not limited to two bridges - it must be possible to add B3, B4 etc, all connecting to the same 'red' network.
What I'm proposing has been done with OpenBSD, as described here: http://www.thought.net/jason/bridgepaper/node9.html
However I'd need some more expensive hardware like a Soekris to run OpenBSD, and besides, OpenBSD doesn't have WPA support yet (yep, I need to integrate wireless with this too :-)
I guess the above might be possible without bridging, using some very nasty proxy-ARP trickery, but I still need the boxes to be able to negotiate SA's *on behalf* of the clients which are behind them. If B1 were to negotiate an SA directly with B2 (for tunnel mode), then B1 would have to learn B2's IP address, and also the fact that machines .2 and .6 are behind B2 and not some other bridge on the network.
I note OpenWRT uses a 2.4.x kernel and has an OpenSWAN package. I'm actually a FreeBSD user normally though. So if anyone has any experience configuring something like that outlined above using the tools included with OpenWRT, I'd be very pleased to hear of it. Equally, explanations of why this is not possible are also appreciated :-)
Oh, and the preferred method of B1 and B2 authenticating to each other is with certificates. I guess I could live with PSK though.
Cheers!
Brian.