Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Oct 1999 15:37:31 +0900 
From:      "Austin, Michael H POJ" <Michael.H.Austin@poj.usace.army.mil>
To:        "'Theo Purmer (Tepucom)'" <theo@tepucom.nl>, 'Jim Flowers' <jflowers@ezo.net>
Cc:        skip-info@skip-vpn.org, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>
Subject:   RE: skip basic procedure
Message-ID:  <FFFCA5F3EDD3D111B29E00A0245DBB0264901F@pojmail03.poj.usace.army.mil>

next in thread | raw e-mail | index | archive | help
Theo,

If I understand your problem correctly your packets get dropped because your
source address is a rfc1918 address.  
To get around that problem you can have skip change the source address to
the "legal" address you are using on the skip host's public interface by
using the "-f <legal ip address>" option.

I don't think it's mentioned in the skiphost man page but I recall seeing it
in a post on this mailing list.  I use it and it works.

Michael Austin

-----Original Message-----
From: Theo Purmer (Tepucom) [mailto:theo@tepucom.nl]
Sent: Tuesday, October 05, 1999 3:05 PM
To: Theo Purmer (Tepucom); 'Jim Flowers'
Cc: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org'
Subject: RE: skip basic procedure


Thanks Jim fo the help.

Ive got a skip session running between
two machines and the rfc1918 network
is connected what i found to be the problem
is that skip leaves the rfc1918 sender address
in the packet even if it goes through the 
tunnel. The routers and firewalls in between dont
allow a rfc1918 sender or receiver address so
the packets dont arrive at the other end

In the archives john capo has the same problem
he sent me some data to change the source with
so that doesnt happen anymore. im working on
that now.

Do you have any idea as to who maintains the skip
website. Maybe its a good idea to publish this on
the website when ive got it running.

thanks agian

theo purmer
----------
Van: 	Jim Flowers[SMTP:jflowers@ezo.net]
Verzonden: 	maandag 4 oktober 1999 16:38
Aan: 	Theo Purmer (Tepucom)
CC: 	skip-info@skip-vpn.org; 'freebsd-security@freebsd.org'
Onderwerp: 	Re: skip basic procedure


Skip doesn't do routing.  You have to use something else.  Mostly I use
static routes.  Generally, the inside inetrace (rfc 1918) will create a
route to the internal network.

However, It sounds like you don't really have a SKIP connection.  Can you
verify in skipd.log?  Use tcpdump to verify skip (proto 57) packets on the
incoming interface and equivalent cleartext packets on the internal
interface.  Assumes you have multi-homed skiphost.

What I have found to work best is:

1. With skip turned off, verify that the two skiphosts can communicate with
each other.
2. Setup skip on each of the skiphosts by running skiplocal export on the
opposite end skiphost and then executing it as a shell script.
3. Set default in cleartext (`skiphost -a default`) and turn it on at each
end (`skiphost -o on`).
4. Debug this configuration.  Is the time correct on each skiphost?  Are the
keys valid?  Good idea is to telnet to a third machine and from
    there to the far end so that the session will continue even if skip
doesn't work. Use skiplog to see if there are errors
5. Once you get 4. working, add the RFC1918 networks using the far end
skiphost as the tunnel entrance.
6. Use tcpdump on the external and internal interfaces of each skiphost to
debug.

It is also instructive to run the skiptool if you have xwindows.  When you
enable the skip interface it offers suggestions on addresses that should be
allowed in cleartext.

Have DNS set up and working properly so that skiphost can find all the
reverse lookups or you will wait for what seems like forever.

Search the freebsd-security list for skip,  I posted stuff like this lots of
times.

----- Original Message -----
From: Theo Purmer (Tepucom) <theo@tepucom.nl>
To: <jflowers@ezo.net>
Sent: Saturday, October 02, 1999 8:45 AM
Subject: skip


> Hi Jim
>
> hope you dont mind me sending you some email
> about skip. In some archive i found your name on
> a message where you said you had good experiences
> with skip on freebsd
>
> im having some trouble getting a vpn with skip running
> and i was wondering if you could give me a hint on
> the skip config file.
>
> im trying to route 2 rfc 1918 networks over two skip
> machines via the internet but data does arrive but
> isnt routed to the second (rfc1918) nic in the machine
>
> some help would be greatly appreciated
>
> thanks
>
> theo purmer
> theo@tepucom.nl
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FFFCA5F3EDD3D111B29E00A0245DBB0264901F>