OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: RE: skip basic procedure

RE: skip basic procedure

Jim Flowers (jflowersezo.net)
Tue, 5 Oct 1999 09:45:16 -0400 (EDT)

I believe whatever maintenance is done is by someone at Sun in a spare
moment. Just posting to skip-info is probably the best that can be
done. They don't seem to be assigning much in the way of resources.

Jim Flowers <jflowersezo.net>
#4 ISP on C|NET, #1 in Ohio

On Tue, 5 Oct 1999, Theo Purmer (Tepucom) wrote:

> Thanks Jim fo the help.
>
> Ive got a skip session running between
> two machines and the rfc1918 network
> is connected what i found to be the problem
> is that skip leaves the rfc1918 sender address
> in the packet even if it goes through the
> tunnel. The routers and firewalls in between dont
> allow a rfc1918 sender or receiver address so
> the packets dont arrive at the other end
>
> In the archives john capo has the same problem
> he sent me some data to change the source with
> so that doesnt happen anymore. im working on
> that now.
>
> Do you have any idea as to who maintains the skip
> website. Maybe its a good idea to publish this on
> the website when ive got it running.
>
> thanks agian
>
> theo purmer
> ----------
> Van: Jim Flowers[SMTP:jflowersezo.net]
> Verzonden: maandag 4 oktober 1999 16:38
> Aan: Theo Purmer (Tepucom)
> CC: skip-infoskip-vpn.org; 'freebsd-securityfreebsd.org'
> Onderwerp: Re: skip basic procedure
>
>
> Skip doesn't do routing. You have to use something else. Mostly I use
> static routes. Generally, the inside inetrace (rfc 1918) will create a
> route to the internal network.
>
> However, It sounds like you don't really have a SKIP connection. Can you
> verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the
> incoming interface and equivalent cleartext packets on the internal
> interface. Assumes you have multi-homed skiphost.
>
> What I have found to work best is:
>
> 1. With skip turned off, verify that the two skiphosts can communicate with
> each other.
> 2. Setup skip on each of the skiphosts by running skiplocal export on the
> opposite end skiphost and then executing it as a shell script.
> 3. Set default in cleartext (`skiphost -a default`) and turn it on at each
> end (`skiphost -o on`).
> 4. Debug this configuration. Is the time correct on each skiphost? Are the
> keys valid? Good idea is to telnet to a third machine and from
> there to the far end so that the session will continue even if skip
> doesn't work. Use skiplog to see if there are errors
> 5. Once you get 4. working, add the RFC1918 networks using the far end
> skiphost as the tunnel entrance.
> 6. Use tcpdump on the external and internal interfaces of each skiphost to
> debug.
>
> It is also instructive to run the skiptool if you have xwindows. When you
> enable the skip interface it offers suggestions on addresses that should be
> allowed in cleartext.
>
> Have DNS set up and working properly so that skiphost can find all the
> reverse lookups or you will wait for what seems like forever.
>
> Search the freebsd-security list for skip, I posted stuff like this lots of
> times.
>
> ----- Original Message -----
> From: Theo Purmer (Tepucom) <theotepucom.nl>
> To: <jflowersezo.net>
> Sent: Saturday, October 02, 1999 8:45 AM
> Subject: skip
>
>
> > Hi Jim
> >
> > hope you dont mind me sending you some email
> > about skip. In some archive i found your name on
> > a message where you said you had good experiences
> > with skip on freebsd
> >
> > im having some trouble getting a vpn with skip running
> > and i was wondering if you could give me a hint on
> > the skip config file.
> >
> > im trying to route 2 rfc 1918 networks over two skip
> > machines via the internet but data does arrive but
> > isnt routed to the second (rfc1918) nic in the machine
> >
> > some help would be greatly appreciated
> >
> > thanks
> >
> > theo purmer
> > theotepucom.nl
> >
>
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2.0b3 on Tue Oct 05 1999 - 09:21:20 CDT