WAVEsec Base Station setup checklist

Main page

WAVEsec Clients

Base Station

Downloads

 The base station must be set up by the conference organizers. Notebook users need not concern themselves with these details.

WAVEsec requirements

You will need:

  • Routable IPs for your network. These may be extruded from another site.
  • Control over reverse DNS for these IPs.
  • One or more machines running Linux, to serve as your WAVEsec base station.
    • Our instructions are for Red Hat 7 or 8.
    • For many purposes one Linux box can hold all the WAVEsec base station components (Internet router, IPsec server, DHCP server, DNS server). However, to fill a large pipe, you may want more hardware. Use these FreeS/WAN performance numbers as a guide.
  • Advanced routing (ie. iproute2) on your IPsec server.
  • Some WAVEsec clients who'll be running Linux FreeS/WAN.

Inline or appendix mode?

If you can place your WAVEsec base station in the path between the local net and the Internet, do so. We call this "Inline Mode" WAVEsec, and our instructions are geared to this. Otherwise, you will need to use appendix mode, which is not yet fully documented.

Checklist

  1. Install your Internet router.
  2. Set up and test local DNS for the reverse domain.
  3. Install and configure a DHCP server patched with a special option.
  4. Install and configure FreeS/WAN IPsec, upload its keys to DNS, and test this.
  5. Create a sample client and test the whole thing.

Known issues

  • WAVEsec cannot coexist with Opportunistic Encryption, This is true both on the WAVEsec base station and on the notebooks. Reason: in choosing the outgoing packet path, two eroutes conflict, and neither connection works. Passive OE may not cause the same problems.
  • In inline mode, IPs once used for WAVEsec are not recycled cleanly. In particular, the IPsec tunnel remains routed from the server's perspective. For this reason, once you have set up WAVEsec on your laptop, you must continue to use it. The problem has several unimplemented potential solutions.
  • Our patches to dhcpd and dhclient break dhrelay. We're working on fixing this.
  • When dhcpd injects the client's key into the reverse map DNS, the existing PTR record is lost. We don't yet know why. We should fix this.
  • We're not sure whether we can stop and start Bind and dhcpd on our servers without losing some state.
  • Appendix mode is complex and not fully documented.