From owner-freebsd-security Tue Oct 5 6:43:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id A85AE1563C for ; Tue, 5 Oct 1999 06:42:44 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id JAA26510; Tue, 5 Oct 1999 09:42:15 -0400 (EDT) Date: Tue, 5 Oct 1999 09:42:15 -0400 (EDT) From: Jim Flowers To: "Theo Purmer (Tepucom)" Cc: "Theo Purmer (Tepucom)" , "skip-info@skip-vpn.org" , "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure In-Reply-To: <01BF0F08.5D32D270.theo@tepucom.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You don't have to go to all that trouble to hack the code. Just use Stephanie Wheners -f flag to change the source address to what your provider expects to see (eg. the address of the near side skiphost). Jim Flowers #4 ISP on C|NET, #1 in Ohio On Tue, 5 Oct 1999, Theo Purmer (Tepucom) wrote: > Thanks Jim fo the help. > > Ive got a skip session running between > two machines and the rfc1918 network > is connected what i found to be the problem > is that skip leaves the rfc1918 sender address > in the packet even if it goes through the > tunnel. The routers and firewalls in between dont > allow a rfc1918 sender or receiver address so > the packets dont arrive at the other end > > In the archives john capo has the same problem > he sent me some data to change the source with > so that doesnt happen anymore. im working on > that now. > > Do you have any idea as to who maintains the skip > website. Maybe its a good idea to publish this on > the website when ive got it running. > > thanks agian > > theo purmer > ---------- > Van: Jim Flowers[SMTP:jflowers@ezo.net] > Verzonden: maandag 4 oktober 1999 16:38 > Aan: Theo Purmer (Tepucom) > CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' > Onderwerp: Re: skip basic procedure > > > Skip doesn't do routing. You have to use something else. Mostly I use > static routes. Generally, the inside inetrace (rfc 1918) will create a > route to the internal network. > > However, It sounds like you don't really have a SKIP connection. Can you > verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the > incoming interface and equivalent cleartext packets on the internal > interface. Assumes you have multi-homed skiphost. > > What I have found to work best is: > > 1. With skip turned off, verify that the two skiphosts can communicate with > each other. > 2. Setup skip on each of the skiphosts by running skiplocal export on the > opposite end skiphost and then executing it as a shell script. > 3. Set default in cleartext (`skiphost -a default`) and turn it on at each > end (`skiphost -o on`). > 4. Debug this configuration. Is the time correct on each skiphost? Are the > keys valid? Good idea is to telnet to a third machine and from > there to the far end so that the session will continue even if skip > doesn't work. Use skiplog to see if there are errors > 5. Once you get 4. working, add the RFC1918 networks using the far end > skiphost as the tunnel entrance. > 6. Use tcpdump on the external and internal interfaces of each skiphost to > debug. > > It is also instructive to run the skiptool if you have xwindows. When you > enable the skip interface it offers suggestions on addresses that should be > allowed in cleartext. > > Have DNS set up and working properly so that skiphost can find all the > reverse lookups or you will wait for what seems like forever. > > Search the freebsd-security list for skip, I posted stuff like this lots of > times. > > ----- Original Message ----- > From: Theo Purmer (Tepucom) > To: > Sent: Saturday, October 02, 1999 8:45 AM > Subject: skip > > > > Hi Jim > > > > hope you dont mind me sending you some email > > about skip. In some archive i found your name on > > a message where you said you had good experiences > > with skip on freebsd > > > > im having some trouble getting a vpn with skip running > > and i was wondering if you could give me a hint on > > the skip config file. > > > > im trying to route 2 rfc 1918 networks over two skip > > machines via the internet but data does arrive but > > isnt routed to the second (rfc1918) nic in the machine > > > > some help would be greatly appreciated > > > > thanks > > > > theo purmer > > theo@tepucom.nl > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message