1

let's say i have two office spaces in a multi-tenant building. landlord was kind enough to provide me with copper cat 6 cable connecting both of the disjoint spaces.

i could just attach network switches at both ends and create a flat L2 network. but i'd like to be sure that other tenants cannot easily tap into the cable and eavesdrop on the traffic passing between two of my offices.

what solution would you propose here? ideally it should provide a transparent L2 connectivity and handle few hundreds of mbit/s. i'd prefer off-the-shelf devices that can be easily replaced.

with encrypted home-plug gear or wireless access points providing wpa2-psk - seems like the encryption hardware is available.

some of my ideas:

  • use proper hardware ethernet encryption device like this; unfortunately those seem to be quite expensive
  • put two linux servers on both ends of the connection and run openvpn on them to provide transparent l2 bridge with encryption of traffic crossing the 'untrusted' segment

thanks for any suggestions!

pQd
  • 29,561
  • 5
  • 64
  • 106

2 Answers2

2

I see two idea.

  • First is like your openvpn's idea, as treat your line like a normal wan link, and put some router there to do a site-to-site vpn.

  • Second idea, never used it, but I would try MACsec between the two switch uplink;

MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. The Catalyst 4500 series switch supports 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional).

Cisco TrustSec Switch-to-Switch Link Security Configuration Example

This example shows the configuration necessary for a seed and non-seed device for Cisco TrustSec switch-to-switch security. You must configure the AAA and RADIUS for link security. In this example, ACS-1 through ACS-3 can be any server names and cts-radius is the Cisco TrustSec server.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • MACsec sounds exactly like something i'm looking for. too bad i don't have on the either end compatible devices at the moment. – pQd Sep 28 '16 at 14:31
0

I would use pfSense https://www.pfsense.org on both sides to establish an IPSec- or OpenVPN-Tunnel. pfSense is OSS, easy to use, and you can also buy specialised devices, professional support or even use it in a Hypervisor.

A very minimal device is available at https://www.pfsense.org/products/ with two Ethernet-Ports for 150 US-$ each.

We use pfSense in a VMWare-Hypervisor to provide a Captive-Portal for our Guest-WiFi and it works very well.

SaPl

sapl
  • 161
  • 1
  • 2
  • 1
    The less expensive RouterBoards, (like [this one](https://routerboard.com/RB951G-2HnD)) would also offer the same functionality, for half the price. As an added bonus, it's possible to power it over PoE, it has more ports and a WiFi AP. If that's of any use to you. – GregL Sep 28 '16 at 14:24
  • @GregL - what performance could the RouterBoard offer? up to my knowledge mikrotik still has openvpn with only tcp transport - which makes it pretty much unusable; is there other encryption mechanism they offer? would it be able to transport tagged vlans? – pQd Sep 28 '16 at 14:28
  • 1
    The one linked claims it'll saturate a 1Gbps link with full frames, but obviously adding encryption on that link will lower the throughput. In addition to OpenVPN, it does a pile of other tunnelening/encryption protocols, at least one of which is Mikrotik-specific. The full list is [here](http://wiki.mikrotik.com/wiki/Manual:Interface), on the left side along with all the other `interface` sub-commands. – GregL Sep 28 '16 at 14:34
  • 1
    You're right though, MT doesn't support OpenVPN in UDP mode. – GregL Sep 28 '16 at 14:36