Date: Thu, 8 Mar 2001 11:56:19 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: "Ilya Krel" <ilya@krel.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: vpn vs natd Message-ID: <008501c0a7f0$b3254e10$22b197ce@ezo.net> References: <5FE9B713CCCDD311A03400508B8B301305F47C8A@bdr-xcln.is.matchlogic.com> <013c01c0a771$e80f3e30$0100a8c0@ilya> <004001c0a773$bfe11210$22b197ce@ezo.net> <000f01c0a789$eb3dd4f0$0100a8c0@ilya>
next in thread | previous in thread | raw e-mail | index | archive | help
Skip on two gateway boxes connect two networks together, over the Internet if desired, tunneling from the one box to the other. The networks behind the gateways can be public or private. Either or both of the boxes can also be running natd on a many to one basis. Ipfw is used to divert packets to the natd process usually by an any to any match. Skip is implemented in a shim between ipfw and the external network interface. The technique is to preceed the natd divert rule with rules that match packets that are to be transmitted over the VPN and, therefore, should not be diverted to ipfw. The technique can be extended to as many nodes (each with a network behind it) as you want for the VPN. By stand-alone - yes you have to partner with other skip-aware devices and that pretty much means Sun, FreeBSD and Linux. ----- Original Message ----- From: "Ilya Krel" <ilya@krel.org> To: "Jim Flowers" <jflowers@ezo.net> Sent: Wednesday, March 07, 2001 11:40 PM Subject: Re: vpn vs natd > i probably didnt thoughly understadn skip yet ;) but it seems like it a > stand alone solution. What I have is a corporate VPN (altiga/cisco) an NT > client, a BSD router with nat. What i want to do is allow this client > (altiga) to go through my router without the packets being raped by nat, > which happens according to cisco in a many-to-one environment. > please do correct me if i am wrong about skip. > > ----- Original Message ----- > From: "Jim Flowers" <jflowers@ezo.net> > To: "Ilya" <mail@krel.org>; <freebsd-security@FreeBSD.ORG> > Sent: Wednesday, March 07, 2001 9:01 PM > Subject: Re: vpn vs natd > > > > You can do VPN and many to one NAT if you use the SKIP port. It takes a > > throrough understanding of both but you essentially use rules in IPFW to > > determine what uses VPN and what uses NATD. Search the mailing lists for > > SKIP where I listed both the criterea and methodology. > > > > There is probably a way to do something similar with IPSec but I haven't > > spent the time to know how to do it. > > > > ----- Original Message ----- > > From: "Ilya" <mail@krel.org> > > To: <freebsd-security@FreeBSD.ORG> > > Sent: Wednesday, March 07, 2001 8:48 PM > > Subject: vpn vs natd > > > > > > > As far as i know there is no way to make vpn work through many-to-one > nat. > > > Only many-tomany will work. I currently have at home one-to-many > (windows > > > clients through freebsd router), now that i need vpn, i got a second > > public > > > ip. Is it somehow possible to setup that all truffic from certin private > > ip > > > on my lan would go out as using my new ip? which i guess will reside on > > same > > > network card, whoch hosts current public ip. is it also possible to do > > > without breaking the config i have now? > > > so i am thinking, many-to-one nat for all windows clients except one, > and > > > many-to-many for only one specific private ip. > > > how can i do it? > > > > > > thx a lot. > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008501c0a7f0$b3254e10$22b197ce>