From owner-freebsd-security Sun Oct 10 8:25:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from navont3.navo.navy.mil (navont3.navo.navy.mil [128.160.42.3]) by hub.freebsd.org (Postfix) with ESMTP id A1A7D1558C for ; Sun, 10 Oct 1999 08:24:20 -0700 (PDT) (envelope-from binghamd@navo.navy.mil) Received: from m45432 (argus-p3.navo.hpc.mil [204.222.179.82]) by navont3.navo.navy.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 42CB0HCM; Sun, 10 Oct 1999 10:21:43 -0500 Reply-To: From: "Dell bingham" To: "'Theo Purmer (Tepucom)'" Cc: "'Jim Flowers'" , , "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure Date: Sun, 10 Oct 1999 10:22:33 -0500 Message-ID: <00e501bf1333$46fbf340$f2d9decc@m45432.navo.navy.mil> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 In-Reply-To: <37FAD4C7.15678404@arsin.com> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Me 2............ Dell Bingham Computer Engineer 1002 Balch Blvd. Stennis Space Center, MS 39522 > *COML: (228)688-5952 DSN: 485-5952 FAX 4168 > *binghamd@navo.navy.mil > -----Original Message----- From: Chandra Ravi [mailto:cravi@arsin.com] Sent: Tuesday, October 05, 1999 23:49 To: Theo Purmer (Tepucom) Cc: 'Jim Flowers'; skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' Subject: Re: skip basic procedure Hi Guys! Get me out of your mailing list. Thanks, Theo Purmer (Tepucom) wrote: > Thanks Jim fo the help. > > Ive got a skip session running between > two machines and the rfc1918 network > is connected what i found to be the problem > is that skip leaves the rfc1918 sender address > in the packet even if it goes through the > tunnel. The routers and firewalls in between dont > allow a rfc1918 sender or receiver address so > the packets dont arrive at the other end > > In the archives john capo has the same problem > he sent me some data to change the source with > so that doesnt happen anymore. im working on > that now. > > Do you have any idea as to who maintains the skip > website. Maybe its a good idea to publish this on > the website when ive got it running. > > thanks agian > > theo purmer > ---------- > Van: Jim Flowers[SMTP:jflowers@ezo.net] > Verzonden: maandag 4 oktober 1999 16:38 > Aan: Theo Purmer (Tepucom) > CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' > Onderwerp: Re: skip basic procedure > > Skip doesn't do routing. You have to use something else. Mostly I use > static routes. Generally, the inside inetrace (rfc 1918) will create a > route to the internal network. > > However, It sounds like you don't really have a SKIP connection. Can you > verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the > incoming interface and equivalent cleartext packets on the internal > interface. Assumes you have multi-homed skiphost. > > What I have found to work best is: > > 1. With skip turned off, verify that the two skiphosts can communicate with > each other. > 2. Setup skip on each of the skiphosts by running skiplocal export on the > opposite end skiphost and then executing it as a shell script. > 3. Set default in cleartext (`skiphost -a default`) and turn it on at each > end (`skiphost -o on`). > 4. Debug this configuration. Is the time correct on each skiphost? Are the > keys valid? Good idea is to telnet to a third machine and from > there to the far end so that the session will continue even if skip > doesn't work. Use skiplog to see if there are errors > 5. Once you get 4. working, add the RFC1918 networks using the far end > skiphost as the tunnel entrance. > 6. Use tcpdump on the external and internal interfaces of each skiphost to > debug. > > It is also instructive to run the skiptool if you have xwindows. When you > enable the skip interface it offers suggestions on addresses that should be > allowed in cleartext. > > Have DNS set up and working properly so that skiphost can find all the > reverse lookups or you will wait for what seems like forever. > > Search the freebsd-security list for skip, I posted stuff like this lots of > times. > > ----- Original Message ----- > From: Theo Purmer (Tepucom) > To: > Sent: Saturday, October 02, 1999 8:45 AM > Subject: skip > > > Hi Jim > > > > hope you dont mind me sending you some email > > about skip. In some archive i found your name on > > a message where you said you had good experiences > > with skip on freebsd > > > > im having some trouble getting a vpn with skip running > > and i was wondering if you could give me a hint on > > the skip config file. > > > > im trying to route 2 rfc 1918 networks over two skip > > machines via the internet but data does arrive but > > isnt routed to the second (rfc1918) nic in the machine > > > > some help would be greatly appreciated > > > > thanks > > > > theo purmer > > theo@tepucom.nl > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message