Date: Fri, 25 Jul 1997 09:07:12 -0400 From: John Capo <jc@irbs.com> To: Christian.Gusenbauer@utimaco.co.at Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD and skip packets Message-ID: <19970725090712.54298@irbs.com> In-Reply-To: <33D84BF5.4099@utimaco.co.at>; from Christian Gusenbauer on Fri, Jul 25, 1997 at 08:47:17AM %2B0200 References: <18271.869774753@orion.webspan.net> <33D84BF5.4099@utimaco.co.at>
next in thread | previous in thread | raw e-mail | index | archive | help
You need to use the tunnel capabilities in SKIP. I am connecting two RFC1918 networks via two FreeBSD 2.1.7 firewalls running SKIP right now and I am installing a third RFC1918 network today. skiphost -i tun0 -a 192.168.1.0 -M 255.255.255.0 -A tunnel_endpoint_address Plus the other encryption, secrets, etc, arguments to skiphost. IP forwarding is enabled on the firewalls but forwarding is limited with ipfw filters. The border routers also block all access to the internal RFC1918 networks. The skiphost command above says to send all packets for 192.168.1.0/24 to the tunnel_endpoint_address. The sending SKIP encrypts the packet, attaches a SKIP header to it, and then attaches an IP header with the tunnel_endpoint_address as the destination. The receiving SKIP authenticates, decrypts, and passes the packet addressed to 192.9.168.X to the IP layer. IP happily routes the packet to the proper interface for the 192.9.168.0/24 network, in my case an Ethernet. SKIP has what I consider a bug in that it sends packets through the tunnel with the original RFC1918 source address in the IP header. I changed that to use the interface address the packet is being sent from for the source address. Does anyone have Sun SKIP working on 2.2? John Capo IRBS Engineering
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970725090712.54298>