From owner-freebsd-security Fri Jul 25 06:07:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA01968 for security-outgoing; Fri, 25 Jul 1997 06:07:45 -0700 (PDT) Received: from cayman.irbs.com (cayman.irbs.com [199.182.75.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA01963 for ; Fri, 25 Jul 1997 06:07:39 -0700 (PDT) Received: (from jc@localhost) by cayman.irbs.com (8.8.5/8.8.5) id JAA28747; Fri, 25 Jul 1997 09:07:13 -0400 (EDT) Message-ID: <19970725090712.54298@irbs.com> Date: Fri, 25 Jul 1997 09:07:12 -0400 From: John Capo To: Christian.Gusenbauer@utimaco.co.at Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD and skip packets References: <18271.869774753@orion.webspan.net> <33D84BF5.4099@utimaco.co.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <33D84BF5.4099@utimaco.co.at>; from Christian Gusenbauer on Fri, Jul 25, 1997 at 08:47:17AM +0200 X-Organization: IRBS Engineering, (954) 242-9167 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk You need to use the tunnel capabilities in SKIP. I am connecting two RFC1918 networks via two FreeBSD 2.1.7 firewalls running SKIP right now and I am installing a third RFC1918 network today. skiphost -i tun0 -a 192.168.1.0 -M 255.255.255.0 -A tunnel_endpoint_address Plus the other encryption, secrets, etc, arguments to skiphost. IP forwarding is enabled on the firewalls but forwarding is limited with ipfw filters. The border routers also block all access to the internal RFC1918 networks. The skiphost command above says to send all packets for 192.168.1.0/24 to the tunnel_endpoint_address. The sending SKIP encrypts the packet, attaches a SKIP header to it, and then attaches an IP header with the tunnel_endpoint_address as the destination. The receiving SKIP authenticates, decrypts, and passes the packet addressed to 192.9.168.X to the IP layer. IP happily routes the packet to the proper interface for the 192.9.168.0/24 network, in my case an Ethernet. SKIP has what I consider a bug in that it sends packets through the tunnel with the original RFC1918 source address in the IP header. I changed that to use the interface address the packet is being sent from for the source address. Does anyone have Sun SKIP working on 2.2? John Capo IRBS Engineering