From owner-freebsd-security Sun Sep 26 12: 2:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id 557FD152CF for ; Sun, 26 Sep 1999 12:02:46 -0700 (PDT) (envelope-from theo@tepucom.nl) Received: from administratie (administratie.tepucom.nl [192.168.1.20]) by mail.tepucom.nl (8.9.3/8.9.3) with SMTP id VAA17070; Sun, 26 Sep 1999 21:01:15 +0200 (CEST) (envelope-from theo@tepucom.nl) Received: by localhost with Microsoft MAPI; Sun, 26 Sep 1999 20:54:12 +0200 Message-ID: <01BF0861.492CDCB0.theo@tepucom.nl> From: "Theo Purmer (Tepucom)" To: "'Jim Flowers'" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: skip acl (was skip and vpn) Date: Sun, 26 Sep 1999 20:54:11 +0200 X-Mailer: Microsoft Internet-e-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok Jim im getting there but its not working quite as it should here's a drawing........ net1 192.168.1.0/24 ---------------------- | -------------- | skiphost 1 | -------------- | ---------- | router | ---------- | ----------- | the net | ----------- | ---------- | router | ---------- | -------------- | skiphost 2 | -------------- | -------------------------- net2 192.168.2.0/24 where net2 and net3 are rfc1918 on skiphost1 ive defined an acl on the external (internet) interface that says for net2 go through tunnel at skiphost2 using encryption etc skiphost -i de0 -a 192.168.2.0 -M 255.255.255.0 -A xxx.x.x.x -v 2 -k DES-C BC -t DES-CBC -m MD5 -r 8 -R kkkkkkkkkkkkk -s 8 -S kkkkkkkkkkkkkkkk when i ping on the console of skiphost1 to the net2 interface on skiphost2 i see the packages go to skiphost2 i see them arrive at skiphost2 but i dont see a response when i ping from a host on net1 to the net2 interface on skiphost2 i see the packages arrive at skiphost1 where they disappear. when i ping on the console of skiphost1 to the internet interface of skiphost2 then i see encrypted packages go to skiphost2 en i see them coming back to. i have not set any routes other then the default route to the internet router i appreciate your help theo ---------- Van: Jim Flowers[SMTP:jflowers@ezo.net] Verzonden: zaterdag 25 september 1999 22:22 Aan: Theo Purmer (Tepucom) CC: 'freebsd-security@FreeBSD.ORG' Onderwerp: Re: skip and vpn Use different subnets for each of your internal rfc1918 networks and then route the opposite end subnet to your local skiphost tunnel end. Only the skiphost ACL record and external interface has to know about the opposite end routable address. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Sat, 25 Sep 1999, Theo Purmer (Tepucom) wrote: > Hi all..... > > got a problem here with skip and a vpn > > ive got two gateways running ipf, ipnat and skip. > it all works the gateways are on the internet...(far apart) > > on the inside of the gateways im using rfc1918 > networks. I want to be able to go from one internal > network via the vpn (using skip for encryption) to > the other internal network. > > but i cannot just set up a route for the other internal > network using the other skip gateway. I then get arp > errors cuz it wants the other gateway to be on his > subnet > > anybody got any ideas as how to get the tunnel running? > > thanks > > theo purmer > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message