From owner-freebsd-security Mon Oct 4 7:41:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id B48C7154C9 for ; Mon, 4 Oct 1999 07:41:30 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from crocus (c3-1f194.neo.rr.com [24.93.235.194]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id KAA13484; Mon, 4 Oct 1999 10:40:56 -0400 (EDT) Message-ID: <002e01bf0e76$18410f70$23b197ce@ezo.net> From: "Jim Flowers" To: "Theo Purmer (Tepucom)" Cc: , "'freebsd-security@freebsd.org'" References: <01BF0CE4.D6279BA0.theo@tepucom.nl> Subject: Re: skip basic procedure Date: Mon, 4 Oct 1999 10:38:14 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Skip doesn't do routing. You have to use something else. Mostly I use static routes. Generally, the inside inetrace (rfc 1918) will create a route to the internal network. However, It sounds like you don't really have a SKIP connection. Can you verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the incoming interface and equivalent cleartext packets on the internal interface. Assumes you have multi-homed skiphost. What I have found to work best is: 1. With skip turned off, verify that the two skiphosts can communicate with each other. 2. Setup skip on each of the skiphosts by running skiplocal export on the opposite end skiphost and then executing it as a shell script. 3. Set default in cleartext (`skiphost -a default`) and turn it on at each end (`skiphost -o on`). 4. Debug this configuration. Is the time correct on each skiphost? Are the keys valid? Good idea is to telnet to a third machine and from there to the far end so that the session will continue even if skip doesn't work. Use skiplog to see if there are errors 5. Once you get 4. working, add the RFC1918 networks using the far end skiphost as the tunnel entrance. 6. Use tcpdump on the external and internal interfaces of each skiphost to debug. It is also instructive to run the skiptool if you have xwindows. When you enable the skip interface it offers suggestions on addresses that should be allowed in cleartext. Have DNS set up and working properly so that skiphost can find all the reverse lookups or you will wait for what seems like forever. Search the freebsd-security list for skip, I posted stuff like this lots of times. ----- Original Message ----- From: Theo Purmer (Tepucom) To: Sent: Saturday, October 02, 1999 8:45 AM Subject: skip > Hi Jim > > hope you dont mind me sending you some email > about skip. In some archive i found your name on > a message where you said you had good experiences > with skip on freebsd > > im having some trouble getting a vpn with skip running > and i was wondering if you could give me a hint on > the skip config file. > > im trying to route 2 rfc 1918 networks over two skip > machines via the internet but data does arrive but > isnt routed to the second (rfc1918) nic in the machine > > some help would be greatly appreciated > > thanks > > theo purmer > theo@tepucom.nl > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message