1. security and management concerns for wireless connections

     ever before wireless networks become popular, their securities and protections have been frequently questioned. with any of several freely downloadable tools, e.g. air snort, crackers can break into the wireless lans without much difficulty.
     the main security risks come from the wep encryption scheme. every wep packet is encrypted with a rc4 cipher stream generated by an encryption key. this encryption key is made up of a 24-bit initialization vector (iv) and either a 40-bit or 104-bit wep key, depending on the key length type.

     in a connection with wep enabled, the 24-bit initialization vector is sent in plain text with the encrypted packet so any cracker can easily see the part of the encryption key. of all the possible ivs, there are approximately 9000 weak ones. they provide additional clues on the total encryption key stream and making the cracking of wep easier.

     a temporary remedy to this weakness in wep is to change the wep key frequently. generally the key should be changed at least once a week for small office users, and more often for larger networks. however, the design of wep does not take the "key management" into consideration; all wep keys have to be edited manually every time a wep key change is required, and the changes have to be made in every devices in the network, including access points, pcmcia cards, pci cards, etc.

2. 802.1x and wpa

     the introduction of 802.1x authentication provides a remedy for key management. nevertheless, the deployment of 802.1x requires a radius server, making it impractical for ordinary soho users. also, 802.1x only works with windows xp, but not with other commonly used operating systems such as windows 2000 or windows millennium.

     wpa (wireless protected access) is an interim standard agreed by some key wireless vendors before the 802.11i standard is ratified. however, wpa still has its own problem - the michael vulnerability: when two packets of unauthorized data are sent during a one-second period, the system assumes it is under attack and shuts itself down. therefore, a cracker can send a large number of unauthorized data and trigger an ongoing series of shutdowns. wpa is therefore vulnerable to dos attack and this is a significant threat to the reliability of the network in a hostile environment.

3. vpn over wireless connection

     another approach to alleviate wep security concerns is to deploy vpn over wireless connections. in this way draytek has incorporated the wireless method into their superior vpn connectivity.

     as an example, an l2tp/ipsec over wireless connection can be set up as below:

     assume that the wireless clients are connected to vigor wireless router via an a secure and reliable type of tunnel - l2tp over ipsec. the user then use 40-bit wep to further enhance security, i.e., wep plus vpn. in general, 128-bit wep is not recommended due to the security concerns discussed above, and vpn is far superior to 128-bit wep in terms of security.

     the number of vpn over wlan tunnels is included in the total possible vpn tunnels - 16 for vigor 2300, 8 for vigor 2600, 32 for vigor 2900 routers. in all, 64 access control profiles can be set.

4. configuration procedure

     this paragraph describes setup procedures for various vpn protocols.

     4.1 establish a pptp tunnel from winxp pc to the vigor router over wireless connection in the same lan.

     4.1.1 vpn server (vigor router) setting

     a. select 64-bit wep for the wireless connection.

     b. select wireless lan setup >access control.

     c. tick "enable access control".

     d. enter the mac address for the wireless nic, tick "must use vpn over wlan", and click "add".

     e. enter the vpn server ip address for wlan, and click "ok".

     f. from the main menu, select vpn and remote access setup >remote access user setup (tele-worker).

     g. tick "enable this account".

     h. select pptp.

     i. enter the username and password.

     j. click "ok" to complete setup of the wireless connection at the vigor router.

     k. from main menu, select system management> vpn connection management and dial (meaning to make connection) and check the connection status. the green text shows the status of the connection.

     4.1.2 client setting

     a. in the client pc, type a network name for ssid and select either 40-bit or 64-bit wep for the wireless connection.

     b. release or renew ip to check that the wireless interface has obtained the correct ip address and subnet mask 255.255.255.252.

     c. download draytek's smart vpn client tool from the link:
     http://support.draytek.com.tw/download/download.php; select your router code and download the respective vpn tool. install the downloaded tool on the pc.

     d. from the start menu, click all programs -> smart vpn client.

     e. click "configure" and restart the computer

     f. click setup.

     g. type the vpn server's ip, username, and password. select pptp and click "ok".

     h. click "connect" to establish the dial-in connection.

     4.2 establish an ipsec tunnel from winxp pc to the vigor router over wireless connection in the same lan.

     4.2.1 server (vigor router) setting

     a. select 64-bit wep for wireless connections for the vigor router.

     b. in the web configuration page, select wireless lan setup >access control.

     c. tick "enable access control".

     d. ebter the mac address for this wireless nic, and tick "must use vpn over wlan" and click "add".

     e. enter the vpn server ip address for wlan, and then click "ok".

     f. from the web configuration page, select vpn and remote access setup > remote access user setup (tele-worker).

     g. tick "enable this account".

     h. select "ipsec tunnel".

     i. click ok.

     j. from the web configuration page, select vpn and remote access setup>vpn ike/ipsec general setup.

     k. enter codes for "ike pre-shared key".

     l. select an ipsec security method.

     m. click "ok" to complete the setup so the specified user can dial (make connection) in to vigor router over a wireless connection.

     n. select system management ? vpn connection management, select the tunnel in which to "dial" into. the green text then show the status for the vpn connection.

     4.2.2 client setting

     a. at the client pc, configure the ssid and use either 40-bit or 64-bit wep for the wireless connection.

     b. release or renew ip to check that the wireless interface has obtained the correct ip address and subnet mask 255.255.255.252.

     c. download draytek's smart vpn client tool from this link:
     http://support.draytek.com.tw/download/download.php; select your router code and download the respective vpn tool. install the downloaded tool on the pc.

     after the installation is finished:

     d. from the start menu, click all programs -> smart vpn client.

     e. click "configure" and restart the computer.

     f. click setup.

     g. type the vpn server's ip, select ipsec tunnel and click "ok".

     h. select "my ip", type both the remote subnet and remote subnet mask as 0.0.0.0. select "security method" and type the pre-shared key.

     i. click "active".

     j. open the dos command prompt and perform a ping (e.g., to a dns server) to trigger the ipsec tunnel. the dial-in connection is established when the ping is successful.

     4.3 establishing a l2tp over ipsec tunnel from winxp pc to the vigor router over wireless connection in the same lan.

     4.3.1 vpn server (vigor router) setting

     a. select 64-bit wep for the wireless connection

     b. select wireless lan setup >access control.

     c. tick "enable access control".

     d. enter the mac address for the wireless nic, tick "must use vpn over wlan", and click "add".

     e. enter the vpn server ip address for wlan, and click "ok".

     f. from the main menu, select vpn and remote access setup >remote access user setup (tele-worker).

     g. tick "enable this account".

     h. select l2tp with ipsec policy and select "must".

     i. enter the username and password.

     j. click "ok" to complete setup of the wireless connection at the vigor router.

     k. from main menu, select vpn and remote access setup >vpn ike/ipsec general setup.

     l. type the codes for ike pre-shared key.

     m. select the ipsec security method.

     n. click "ok".

     o. from main menu, select system management> vpn connection management and dial (meaning to make connection) and check the connection status. the green text shows the status of the connection.

     b. release or renew ip to check that the wireless interface has obtained the correct ip address and subnet mask 255.255.255.252.

     c. download draytek's smart vpn client tool from this link:
     http://support.draytek.com.tw/download/download.php. select your router code and download the respective vpn tool. install the downloaded tool on the pc.

     after the installation is finished:

     d. from the start menu, click all programs->smart vpn client.

     e. click "configure" and restart the computer.

     f. click setup.

     g. type the vpn server's ip, username, and password. select l2tp over ipsec and click "ok".

     h. select "my ip". select security method and enter the code for the pre-shared key.

     i. click "connect", to establish the dial-in connection.