From owner-freebsd-security Mon Oct 4 23:38: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from pojmail03.poj.usace.army.mil (pojmail03.poj.usace.army.mil [207.133.201.13]) by hub.freebsd.org (Postfix) with ESMTP id CA9D5152B7 for ; Mon, 4 Oct 1999 23:37:44 -0700 (PDT) (envelope-from Michael.H.Austin@poj.usace.army.mil) Received: by pojmail03.poj.usace.army.mil with Internet Mail Service (5.5.2650.10) id <4G4262Y6>; Tue, 5 Oct 1999 15:37:32 +0900 Message-ID: From: "Austin, Michael H POJ" To: "'Theo Purmer (Tepucom)'" , 'Jim Flowers' Cc: skip-info@skip-vpn.org, "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure Date: Tue, 5 Oct 1999 15:37:31 +0900 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Theo, If I understand your problem correctly your packets get dropped because your source address is a rfc1918 address. To get around that problem you can have skip change the source address to the "legal" address you are using on the skip host's public interface by using the "-f " option. I don't think it's mentioned in the skiphost man page but I recall seeing it in a post on this mailing list. I use it and it works. Michael Austin -----Original Message----- From: Theo Purmer (Tepucom) [mailto:theo@tepucom.nl] Sent: Tuesday, October 05, 1999 3:05 PM To: Theo Purmer (Tepucom); 'Jim Flowers' Cc: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' Subject: RE: skip basic procedure Thanks Jim fo the help. Ive got a skip session running between two machines and the rfc1918 network is connected what i found to be the problem is that skip leaves the rfc1918 sender address in the packet even if it goes through the tunnel. The routers and firewalls in between dont allow a rfc1918 sender or receiver address so the packets dont arrive at the other end In the archives john capo has the same problem he sent me some data to change the source with so that doesnt happen anymore. im working on that now. Do you have any idea as to who maintains the skip website. Maybe its a good idea to publish this on the website when ive got it running. thanks agian theo purmer ---------- Van: Jim Flowers[SMTP:jflowers@ezo.net] Verzonden: maandag 4 oktober 1999 16:38 Aan: Theo Purmer (Tepucom) CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' Onderwerp: Re: skip basic procedure Skip doesn't do routing. You have to use something else. Mostly I use static routes. Generally, the inside inetrace (rfc 1918) will create a route to the internal network. However, It sounds like you don't really have a SKIP connection. Can you verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the incoming interface and equivalent cleartext packets on the internal interface. Assumes you have multi-homed skiphost. What I have found to work best is: 1. With skip turned off, verify that the two skiphosts can communicate with each other. 2. Setup skip on each of the skiphosts by running skiplocal export on the opposite end skiphost and then executing it as a shell script. 3. Set default in cleartext (`skiphost -a default`) and turn it on at each end (`skiphost -o on`). 4. Debug this configuration. Is the time correct on each skiphost? Are the keys valid? Good idea is to telnet to a third machine and from there to the far end so that the session will continue even if skip doesn't work. Use skiplog to see if there are errors 5. Once you get 4. working, add the RFC1918 networks using the far end skiphost as the tunnel entrance. 6. Use tcpdump on the external and internal interfaces of each skiphost to debug. It is also instructive to run the skiptool if you have xwindows. When you enable the skip interface it offers suggestions on addresses that should be allowed in cleartext. Have DNS set up and working properly so that skiphost can find all the reverse lookups or you will wait for what seems like forever. Search the freebsd-security list for skip, I posted stuff like this lots of times. ----- Original Message ----- From: Theo Purmer (Tepucom) To: Sent: Saturday, October 02, 1999 8:45 AM Subject: skip > Hi Jim > > hope you dont mind me sending you some email > about skip. In some archive i found your name on > a message where you said you had good experiences > with skip on freebsd > > im having some trouble getting a vpn with skip running > and i was wondering if you could give me a hint on > the skip config file. > > im trying to route 2 rfc 1918 networks over two skip > machines via the internet but data does arrive but > isnt routed to the second (rfc1918) nic in the machine > > some help would be greatly appreciated > > thanks > > theo purmer > theo@tepucom.nl > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message