From owner-freebsd-security Tue Oct 5 22: 1:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy2.ba.best.com (proxy2.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id ED4DB156CF for ; Tue, 5 Oct 1999 22:01:03 -0700 (PDT) (envelope-from cravi@arsin.com) Received: from arsin.com (dynamic50.pm08.san-jose.best.com [209.24.165.242]) by proxy2.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id VAA07044; Tue, 5 Oct 1999 21:56:30 -0700 (PDT) Message-ID: <37FAD4C7.15678404@arsin.com> Date: Tue, 05 Oct 1999 21:49:11 -0700 From: Chandra Ravi X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: "Theo Purmer (Tepucom)" Cc: "'Jim Flowers'" , "skip-info@skip-vpn.org" , "'freebsd-security@freebsd.org'" Subject: Re: skip basic procedure References: <01BF0F08.5D32D270.theo@tepucom.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Guys! Get me out of your mailing list. Thanks, Theo Purmer (Tepucom) wrote: > Thanks Jim fo the help. > > Ive got a skip session running between > two machines and the rfc1918 network > is connected what i found to be the problem > is that skip leaves the rfc1918 sender address > in the packet even if it goes through the > tunnel. The routers and firewalls in between dont > allow a rfc1918 sender or receiver address so > the packets dont arrive at the other end > > In the archives john capo has the same problem > he sent me some data to change the source with > so that doesnt happen anymore. im working on > that now. > > Do you have any idea as to who maintains the skip > website. Maybe its a good idea to publish this on > the website when ive got it running. > > thanks agian > > theo purmer > ---------- > Van: Jim Flowers[SMTP:jflowers@ezo.net] > Verzonden: maandag 4 oktober 1999 16:38 > Aan: Theo Purmer (Tepucom) > CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' > Onderwerp: Re: skip basic procedure > > Skip doesn't do routing. You have to use something else. Mostly I use > static routes. Generally, the inside inetrace (rfc 1918) will create a > route to the internal network. > > However, It sounds like you don't really have a SKIP connection. Can you > verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the > incoming interface and equivalent cleartext packets on the internal > interface. Assumes you have multi-homed skiphost. > > What I have found to work best is: > > 1. With skip turned off, verify that the two skiphosts can communicate with > each other. > 2. Setup skip on each of the skiphosts by running skiplocal export on the > opposite end skiphost and then executing it as a shell script. > 3. Set default in cleartext (`skiphost -a default`) and turn it on at each > end (`skiphost -o on`). > 4. Debug this configuration. Is the time correct on each skiphost? Are the > keys valid? Good idea is to telnet to a third machine and from > there to the far end so that the session will continue even if skip > doesn't work. Use skiplog to see if there are errors > 5. Once you get 4. working, add the RFC1918 networks using the far end > skiphost as the tunnel entrance. > 6. Use tcpdump on the external and internal interfaces of each skiphost to > debug. > > It is also instructive to run the skiptool if you have xwindows. When you > enable the skip interface it offers suggestions on addresses that should be > allowed in cleartext. > > Have DNS set up and working properly so that skiphost can find all the > reverse lookups or you will wait for what seems like forever. > > Search the freebsd-security list for skip, I posted stuff like this lots of > times. > > ----- Original Message ----- > From: Theo Purmer (Tepucom) > To: > Sent: Saturday, October 02, 1999 8:45 AM > Subject: skip > > > Hi Jim > > > > hope you dont mind me sending you some email > > about skip. In some archive i found your name on > > a message where you said you had good experiences > > with skip on freebsd > > > > im having some trouble getting a vpn with skip running > > and i was wondering if you could give me a hint on > > the skip config file. > > > > im trying to route 2 rfc 1918 networks over two skip > > machines via the internet but data does arrive but > > isnt routed to the second (rfc1918) nic in the machine > > > > some help would be greatly appreciated > > > > thanks > > > > theo purmer > > theo@tepucom.nl > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message