From owner-freebsd-security Sat Sep 25 19: 5:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 0EFCD14D55 for ; Sat, 25 Sep 1999 19:05:48 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id WAA06455; Sat, 25 Sep 1999 22:05:32 -0400 (EDT) Date: Sat, 25 Sep 1999 22:05:32 -0400 (EDT) From: Jim Flowers To: "Theo Purmer (Tepucom)" Cc: "'Archie Cobbs'" , "freebsd-security@FreeBSD.ORG" Subject: RE: AW: skip and vpn In-Reply-To: <01BF07BA.1AAD4DE0.theo@tepucom.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think you need your route on a host different than the skiphost that advertises it or that you point to as a gateway. There is no reason for arp to be involved for other than the local network. You might also want to set up an ACL entry for the skiphost to talk to the other skiphost throught the VPN, as well. In other words a source host sends the packets to the skiphost due to a a static route. The skiphost looks at the destination IP and checks its ACL to find out that it goes over the VPN, encrypts and encapsulates the packet and uses the distant end public address for the destination address of the new packet which is then routed in accordance with the routes in its kernel, usually the default route to the Internet. Whew. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Sun, 26 Sep 1999, Theo Purmer (Tepucom) wrote: > yeah i added routes but that didnt seem to be a good > idea cuz i get all kinds of kernel messages saying > it cannot resolv the mac address from the remote > > thats the problem but i dont know how else to get > the machine to route the packets for the remote > 1918 network via the secure skip tunnel.... > > thanks > > theo > > ---------- > Van: Archie Cobbs[SMTP:archie@whistle.com] > Verzonden: zaterdag 25 september 1999 1:48 > Aan: Theo Purmer (Tepucom) > CC: freebsd-security@FreeBSD.ORG > Onderwerp: Re: AW: skip and vpn > > Theo Purmer (Tepucom) writes: > > one is 192.168.1.0/24 > > > > other is 192.168.2.0/24 > > OK, so they are disjoint (they don't overlap). Nevermind that idea. > Did you add routes for the rfc1918 networks? I think you should not. > But now my memory is getting hazy... > > Clearly machine A shouldn't be ARP'ing for the remote network addresses. > > -Archie > > ___________________________________________________________________________ > Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message