Date: Mon, 4 Oct 1999 10:38:14 -0400 From: "Jim Flowers" <jflowers@ezo.net> To: "Theo Purmer (Tepucom)" <theo@tepucom.nl> Cc: <skip-info@skip-vpn.org>, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: skip basic procedure Message-ID: <002e01bf0e76$18410f70$23b197ce@ezo.net> References: <01BF0CE4.D6279BA0.theo@tepucom.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Skip doesn't do routing. You have to use something else. Mostly I use
static routes. Generally, the inside inetrace (rfc 1918) will create a
route to the internal network.
However, It sounds like you don't really have a SKIP connection. Can you
verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the
incoming interface and equivalent cleartext packets on the internal
interface. Assumes you have multi-homed skiphost.
What I have found to work best is:
1. With skip turned off, verify that the two skiphosts can communicate with
each other.
2. Setup skip on each of the skiphosts by running skiplocal export on the
opposite end skiphost and then executing it as a shell script.
3. Set default in cleartext (`skiphost -a default`) and turn it on at each
end (`skiphost -o on`).
4. Debug this configuration. Is the time correct on each skiphost? Are the
keys valid? Good idea is to telnet to a third machine and from
there to the far end so that the session will continue even if skip
doesn't work. Use skiplog to see if there are errors
5. Once you get 4. working, add the RFC1918 networks using the far end
skiphost as the tunnel entrance.
6. Use tcpdump on the external and internal interfaces of each skiphost to
debug.
It is also instructive to run the skiptool if you have xwindows. When you
enable the skip interface it offers suggestions on addresses that should be
allowed in cleartext.
Have DNS set up and working properly so that skiphost can find all the
reverse lookups or you will wait for what seems like forever.
Search the freebsd-security list for skip, I posted stuff like this lots of
times.
----- Original Message -----
From: Theo Purmer (Tepucom) <theo@tepucom.nl>
To: <jflowers@ezo.net>
Sent: Saturday, October 02, 1999 8:45 AM
Subject: skip
> Hi Jim
>
> hope you dont mind me sending you some email
> about skip. In some archive i found your name on
> a message where you said you had good experiences
> with skip on freebsd
>
> im having some trouble getting a vpn with skip running
> and i was wondering if you could give me a hint on
> the skip config file.
>
> im trying to route 2 rfc 1918 networks over two skip
> machines via the internet but data does arrive but
> isnt routed to the second (rfc1918) nic in the machine
>
> some help would be greatly appreciated
>
> thanks
>
> theo purmer
> theo@tepucom.nl
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002e01bf0e76$18410f70$23b197ce>