At 10:27 a.m. 5/04/2006, you wrote:
>Hi,
>
>thanks for all the comments so far, I really appreciate it :)
>
>My idea was to run IPsec instead of PPtP, because the latter seems to have a
>rather bad reputation when it comes to security... (judging by googling for
>"PPtP" and "security").
>
>I'm not an expert for IPsec, but what I understand so far is that IPsec can
>apparently be run in two different modes, one of which implements is on top
>of TCP/UDP (with some open ports, 50 [and others?]). When I understand things
>right, this is the "transport mode" of IPsec, which is used to connect two
>hosts.
>
>However, I would like to connect two networks, therefore I have the idea of
>using IPsec in its "tunnel mode", which apparently must be set up on the
>border gateways of the two networks.
>
>I couldn't find any specific IPsec support in the M1122's I use in both
>networks, this is one of the reasons why I want to shift the routing task
>into the Firewall boxes that sit behind the M1122's. The other reason is that
>some IPsec implementations (my one among them) seem not to not like NAT.
>
>Prior to testing the suggestions I got so far I've got three more questions:
>
>So far, I understand that getting the firewall box behind the M1122 to do the
>PPP connection I need to switch the connection mode from "PPP over ATM
>(ppp-vc)" to "Local tunneling / PPP over ATM (tunneled-ppp-vc)".
>
>1) Do I also have to enable the "bridging" checkbox or not?
>2) Does the M1122 keep an internal of IP address?
>3) Am I correct in setting the network card in the firewall which connects to
>the M1122 to PPPoE?

I don't know of ANY modem/router that allows you to use IPSEC to connect to the modem. Afaik PPtP is used because it is extremely simple since your are more or less just passing the PPP session to the device (computer or whatever). There is a modem that uses some malformed version of PPPoE but this is not any more secure than PPtP.

Half bridging is the alternative method, not supported by the M1122 but support by some others including IIRC DSE and Alcatel 530 (which also supports PPtP). However again, it is not any more secure and in fact I have heard that buggy implementations may make it less secure in that there might be a possibility someone can be half bridging from a remote location.

In countries where PPPoE is supported, you can put your modem/router in to full bridging mode and use your computer/whatever to establish the PPPoE connection but again, this is not any more secure.

There are other options but most have the same issue since generally speaking, your equipment should be secure. As Steve has mentioned if the cable between your computer/whatever and M1122 is a potential security risk, you probably need to reconsider your set up. Bear in mind with the M1122 all someone has to do is to connect a special serial cable to your modem and they can get full access. Indeed, in most cases if someone has physical access to your modem/router they could potentially gain full access. I believe your intending to set up your computer as a router in which case bear in mind that unless you set up your computer with full hard disk encryption, it would be easy to gain full access regardless of whether you use IPsec or not. Generally speaking you should not expect great security if someone has physical access to your computer unless you set everything up very carefully. Even less so with a router/modem probably...

Personally, I'm with Steve. Rather then going about a round-about way, just secure your computer/whatever and M1122 for heaven sakes. Lock it up in a room, kick out the dodgy flat mates/kids/partner. Whatever.

As for you other questions:

1) Bridging should not be used.
2) Yes otherwise how does your computer connect to it? Generally speaking you should assign the M1122 an IP address on a different subnet to your main LAN. See below for how my arrangment is set up
3) No. the M1122 uses PPtP not PPPoE.

My set up (and the recommended set up) is as follows

M1122<>computer router<>LAN

Note that the computer router connects to the M1122 on a different network card from the LAN. I.e. you should have 2 network cards in your computer. Each should be on a different subnet. You can use a 10mbit network card for the M1122 since the M1122 only has a 10mbit network port anyway.

--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@lists.unixathome.org
with "unsubscribe adsl" in the body of the message