Between my CPE and the Internet gateway I have three wireless hops via three MT routers. These three routers plus the CPE (a RB133C) all the have the same security profile, WPA2-PSK with aes-ccm, and key.
Is it the case that the two intermediate routers decrypt each packet as it arrives, routes it and then re-encrypts it before sending it on? If so it seems a mighty waste of CPU time.
On the network all ‘outgoing’ and ‘incoming from outside’ traffic uses different routing to internal traffic.
Thus, IF decryption/encryption occurs at every router it seems unnecessary. Is there any way of just passing the encrypted traffic through the intermediate routers so that it is encrypted/decrypted only at each end?
Yes, I believe it is doing what you suspect. I’m not sure how it couldn’t be doing it that way. A good alternative would be to create an EoIP tunnel between to 2 end routers, that way it’s encrypted along the whole path and only decrypted at the ends.
But that means setting up a unique tunnel for every user, doesn’t it?
Again as I understand it encryption encrypts the whole packet, including TCP headers? If that’s so then I agree, clearly it has to be decrypted at each router just to access the destination address etc. But if that’s the case is there no way of just encrypting/decrypting the payload at each end of the network - ie at the CPE and Gateway - as I assume SSH and HTTPS do?
Could you explain how, as this is out of my league? I have, say, five subscribers each with their own PPPoE link by wireless to the same wlan interface on an AP. So their addresses are issued dynamically by the RADIUS server. Can the PPPoE connections be contained within an EoIP set up on the wlan interface itself? Could IPIP do it?