Date: Thu, 9 Oct 1997 17:58:45 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: root@bmccane.uit.net (Wm Brian McCane) Cc: gurney_j@resnet.uoregon.edu, hackers@FreeBSD.ORG Subject: Re: SKIP Message-ID: <199710100058.RAA16624@bubba.whistle.com> In-Reply-To: <Pine.BSF.3.91.971007094736.24219A-100000@bmccane.uit.net> from Wm Brian McCane at "Oct 7, 97 10:18:30 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> Here is what I have/have to do.
>
> /^^^^^\ ROUTER 1
> ( LAN 1 }--{ipfw/(skip|swipe|...)}--{Pipeline 50}
> \vvvvv/ |
> |
> {ISP}
> <---Internet--->
> {ISP}
> |
> | ROUTER 2 /^^^^^\
> {Pipeline 50}--{ipfw/(skip|swipe|...)}--{ LAN 2 )
> \vvvvv/
>
> LAN 1 is 192.168.1.0/24
> LAN 2 is 192.168.4.0/24
> ROUTER 1a is 192.168.1.251
> ROUTER 1b is 207.142.125.225/28
> ROUTER 2a is 192.168.4.251
> ROUTER 2b is 204.132.78.206/28
On ROUTER 1, if "ed0" is the 207.142.125.225 interface:
$ ifpw add 10 divert 1024 ip from any to 192.168.4.0/24 xmit via ed0
$ ifpw add 20 divert 1025 ip from 192.168.4.0/24 to any recv via ed0
$ vpnd -key secret -insock 1025 -outsock 1024
On ROUTER 2, if "ed0" is the 204.132.78.206 interface:
$ ifpw add 10 divert 1024 ip from any to 192.168.1.0/24 xmit via ed0
$ ifpw add 20 divert 1025 ip from 192.168.1.0/24 to any recv via ed0
$ vpnd -key secret -insock 1025 -outsock 1024
> What I am now looking at is an implementation somewhat similar to the
> way that natd works with divert sockets. I have already configured a
> firewall on both ROUTER 1 and 2. What I think I want to do is set up
> rules in the firewall's to divert the appropriate addresses to the
> "vpnd". He will then encapsulate the data and send it to the other
> router.
>
> In the encapsulate phase, I will probably bsdcomp the data to be sent,
> and encrypt it with some very lame encryption. I was thinking of using a
> scheme where each machine has the encryption keys stored in a text file,
> and simply uses them to en/decrypt the data. Very basic.
>
> Does this look like it will work. Am I insane to even think of trying
> to write the "vpnd" program? I am most concerned with figuring out how
> to write the "vpnd", although I have looked at the "natd" code, and it
> looks fairly straight forward to me. I would simply create a "pipe" from
> ROUTER 1b to ROUTER 2b. Then as data comes in from the divert socket, I
> would direct it out through the "pipe". The place where I have problems
> is when a packet comes in on the "pipe". How do I inject the received
> data on to my local network?
No big deal, you just have to write vpnd now :-) Have it encrypt using
"secret" on socket 1024 and decrypt using "secret" on socket 1025...
it writes back to the same socket it reads from (as described in the
divert man page).
-Archie
___________________________________________________________________________
Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710100058.RAA16624>