I’ve been reading lots of documentation on what people have done to achieve this but most of them are for links over the internet.
I have a store with two building across the street from each other and I have a SXT Lite5 radios on each side and working great but now the store is updating their tills and server the franchise who are providing them with the new system are asking that the traffic going between the radios to be encrypted. They are also wanting the link to support vlan so their credit card keypads can be on vlan2 and the rest be on the native vlan.
If someone could point me to the right direction or suggest how I should configure this it would be greatly appreciated.
Create L2TP link between two pannels. Route traffic from lan over this instead of Wlan. Will actually be over Wlan but using L2TP which is encrypted. Create Vlan2 with id2 using L2TP on bouth routers. Any Vlan2 traffic entering one pannel will be accessible other pannel. Creating Vlan or L2TP wil be handled like any lan or Wlan interface. Routing traffic through them will ether encrypt them or treat them as vlan. Lots of setup examples on L2TP and Vlan on google.
Yes they did…they were hoping for 4096 Bit encryption. I did create and L2PT and setup ipsec I tried to send the traffic across but nothing was going across. I setup 0.0.0.0 route to go across the l2tp link and still noting. And i’m sure the IPsec wasn’t setup properly but I wanted to ask the forum before I got too far to see if I was going into right direction.
Right I have a bridge between the lan and wan ports and have the ip address of the units assigned to the bridge. Should the lan and wan have their own IP address and what address would I connect the l2tp connection too.
If they are talking 4096 bits they are probably talking about asymmetric key encryption. You would not want to use asymmetric for the main throughput - too slow. Generally symmetric key systems are faster and equivalent protection with far shorter keys. So the real question is what method is acceptable for the link data itself - not the size of keys used to authenticate the link. e.g. with AES you could use 128, 192 or 256 bit keys.
I think you need to identify what needs to be achieved. If you want to bridge VLANs then you could use a wireless method which supports VLANs directly and encrypt that traffic using WPA2/AES.
If that isn’t acceptable you could make use IPSec but note that you would most likely be using AES as the encryption on IPSec anyway… Since IPSec operates on IP links you would then have overlay layer 2 on the secured IP channel.
At the moment I am a bit suspicious that the info you have been given is incomplete and erroneous. Whoever said they want 4096 bit encryption on a point to point is thinking SSL/TLS which is not what you want for the encryption phase on a layer 2 point to point.
The main thing they want is the traffic across the link to be encrypted and being able to support vlan’s. He was also asking if I could setup the wireless authentication to a 4096bit SSL/TLS certificate instead of wpa2 aes and if I can’t I would have to change the passkey every 90 days.
After reading more online the differences between aes and other encryption method i’m guessing they are using rsa-SSL/TLS key level as a reference point.
I’m hoping having nv2 and the traffic encrypted with 256-aes is probably more secure then 4096-rsa? I need to call him back this week and find out where they are getting this 4096 from.
You can certainly use TLS certificates (instead of a pre-shared key) to initiate the secured WiFi bridge. Subsequently the system will use a symmetric method (e.g. AES) to encrypt the bulk data flow so you still need to know what method/key length is acceptable there. A similar situation would arise using IPSec.