From owner-freebsd-hackers  Tue Oct  7 08:20:08 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA02972
          for hackers-outgoing; Tue, 7 Oct 1997 08:20:08 -0700 (PDT)
          (envelope-from owner-freebsd-hackers)
Received: from bmccane.uit.net (bmccane.uit.net [209.83.205.48])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA02855
          for <hackers@FreeBSD.ORG>; Tue, 7 Oct 1997 08:19:42 -0700 (PDT)
          (envelope-from toor@bmccane.uit.net)
Received: (from root@localhost)
	by bmccane.uit.net (8.8.7/8.8.5) id KAA24649;
	Tue, 7 Oct 1997 10:18:31 -0500 (CDT)
Date: Tue, 7 Oct 1997 10:18:30 -0500 (CDT)
From: Wm Brian McCane <root@bmccane.uit.net>
To: John-Mark Gurney <gurney_j@resnet.uoregon.edu>
cc: hackers@FreeBSD.ORG
Subject: Re: SKIP
In-Reply-To: <19971006194105.38549@hydrogen.nike.efn.org>
Message-ID: <Pine.BSF.3.91.971007094736.24219A-100000@bmccane.uit.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Okay,

	Here is what I have/have to do.

      /^^^^^\          ROUTER 1
     ( LAN 1 }--{ipfw/(skip|swipe|...)}--{Pipeline 50}
      \vvvvv/                                 |
                                              |
                                            {ISP}
                         <---Internet--->
             {ISP}
               |
               |               ROUTER 2            /^^^^^\
          {Pipeline 50}--{ipfw/(skip|swipe|...)}--{ LAN 2 )
                                                   \vvvvv/

	LAN 1 is 192.168.1.0/24
	LAN 2 is 192.168.4.0/24
	ROUTER 1a is 192.168.1.251
	ROUTER 1b is 207.142.125.225/28
	ROUTER 2a is 192.168.4.251
	ROUTER 2b is 204.132.78.206/28

NOTE: Internet addresses are not exactly right 8).

   Data on LAN 1, destined for 192.168.4.0 needs to be caught in ROUTER 1,
and then packaged up, and sent to ROUTER 2, who unpacks the data and 
dumps it on the local network.

   Data on LAN 2, destined for 192.168.0.0, but not 192.168.4.0 needs to be
caught in ROUTER 2, and then packaged up, and sent to ROUTER 1, who unpacks
the data and dumps it on the local network.

   What I am now looking at is an implementation somewhat similar to the 
way that natd works with divert sockets.  I have already configured a 
firewall on both ROUTER 1 and 2.  What I think I want to do is set up 
rules in the firewall's to divert the appropriate addresses to the 
"vpnd".  He will then encapsulate the data and send it to the other 
router.

   In the encapsulate phase, I will probably bsdcomp the data to be sent,
and encrypt it with some very lame encryption.  I was thinking of using a 
scheme where each machine has the encryption keys stored in a text file, 
and simply uses them to en/decrypt the data.  Very basic.

   Does this look like it will work.  Am I insane to even think of trying 
to write the "vpnd" program?  I am most concerned with figuring out how 
to write the "vpnd", although I have looked at the "natd" code, and it 
looks fairly straight forward to me.  I would simply create a "pipe" from 
ROUTER 1b to ROUTER 2b.  Then as data comes in from the divert socket, I 
would direct it out through the "pipe".  The place where I have problems 
is when a packet comes in on the "pipe".  How do I inject the received 
data on to my local network?

	brian	

+-------------------------------------+----------------------------------------+
He rides a cycle of mighty days, and   \  Wm Brian and Lori McCane
he represents the last great schizm     \  McCane Consulting
among the gods. Evil though he obviously \  root@bmccane.uit.net
is, he is a mighty figure, this father of \  http://bmccane.uit.net/
my spirit, and I respect him as the sons   \  http://bmccane.uit.net/~pictures/
of old did the fathers of their bodies.     \  http://bmccane.uit.net/~bmccane/
    Roger Zelazny - "Lord of Light"          \  http://bmccane.uit.net/~bbs/
+---------------------------------------------+--------------------------------+

On Mon, 6 Oct 1997, John-Mark Gurney wrote:

> Wm Brian McCane scribbled this message on Oct 6:
> > Hello,
> > 
> > 	I asked a while back about setting up a Virtual Private Network.
> > Many people suggested SKIP and 1 suggested swIPe.  I have been looking at
> > the SKIP documentation, and I think we may have had a slight misunderstanding.
> > 
> > 	From what I have read so far in the SKIP docs, it is to connect
> > Machine A to Machine B via a "secure" pipe.  And I have seen a little
> > bit about possible connection Machine A to LAN C.  But what I need to do
> > is connect LAN C to LAN D.  Is this possible with SKIP, swIPe, or a
> > player to be named later?
> 
> if you don't need extreme bandwidth..  then simply use iij-ppp... right
> now a friend and I are connected via a private network this way... he
> used to dial into my machine, but then moved to better connectivity, so
> now we just tunnle it down... 
> 
> the man page for iij-ppp pretty much describes what you need to do...
> 
> ttyl..
> 
> -- 
>   John-Mark Gurney                          Modem/FAX: +1 541 683 6954
>   Cu Networking
> 
>   Live in Peace, destroy Micro$oft, support free software, run FreeBSD
>