Date: Thu, 29 Oct 1998 19:35:37 -0800 From: Matthew Reimer <mreimer@vpop.net> To: freebsd-questions@FreeBSD.ORG Subject: SKIP and NAT on tun0? Message-ID: <36393409.CF5E0DAE@vpop.net>
next in thread | raw e-mail | index | archive | help
Has anyone been able to make SKIP and NAT work on the same interface? My gateway machine has ed1 (192.168.1.2) and tun0. I want to run SKIP on tun0 on the gateway machine to protect traffic to certain hosts, and to run NAT on tun0 to give the hosts on ed1 connectivity. When I start ppp, SKIP and natd on the gateway, but before I add the divert rule with ipfw, the gateway machine can get anywhere, but the other hosts on the local network can't get past the gateway (of course). When I add the divert rule, the other hosts on the local network can get anywhere, even to remote hosts that require SKIP, but the gateway itself can only get to hosts that don't require SKIP. It's forwarding just fine, even with SKIP, but perhaps somehow natd is improperly rewriting incoming SKIP packets destined for the gateway itself. In other words, before adding the divert rule: gateway local hosts ------- ----------- +local +local +remote-noskip -remote-noskip (of course) +remote-skip -remote-skip (of course) After adding the divert rule: gateway local hosts ------- ----------- +local +local +remote-noskip +remote-noskip -remote-skip +remote-skip Tcpdump shows that the SKIP packets are going out, and being returned by the remote host, but being dropped by SKIP; skipstat's dropped packet count increases and skiplog complains about the remote host trying to connect with 'cleartext' instead of 'SKIP V2'. I'm starting ppp and natd like this: ppp -auto provider natd -interface tun0 -dynamic -unregistered_only ipfw add divert natd ip from any to any via tun0 ipfw add allow all from any to any 2.2.6-STABLE as of May or so. Anybody have an answer (Archie?)? Thanks in advance. Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36393409.CF5E0DAE>