Skip site navigation (1)Skip section navigation (2)
Date:      10 Mar 1999 13:47:31 +0000
From:      Terry Glanfield <terry@ppsl.demon.co.uk>
To:        "Jim Flowers" <jflowers@ezo.net>, <freebsd-hackers@freebsd.org>
Subject:   Re: Tunnel loopback
Message-ID:  <er9qxh2x8.fsf@ppsl.demon.co.uk>
In-Reply-To: "Jim Flowers"'s message of "Tue, 9 Mar 1999 17:43:16 -0500"
References:  <000d01be6a7e$39343960$abd396ce@ivy.ezo.net>

next in thread | previous in thread | raw e-mail | index | archive | help

"Jim Flowers" <jflowers@ezo.net> writes:
> There is a basic problem with your strategy.  SKIP is unidirectional and the
> inbound packets will have to be received on the configured interface to be
> authenticated.  

Exactly. Along with the rule for the internal interface:

	pass in quick on ed0 to tun0 all

I have a rule on the external interface to redirect SKIP packets to
the tunnel:

	pass in quick on ed1 to tun0 proto skip all

Similarly for UDP port 1640.  I've tested this and it works admirably
(except for the duplicate packets mentioned earlier).  The object is
to move SKIP from its position closest to the wire to a point before
NAT occurs.  Then, so long as the SKIP packets have a properly
rewritten source address and are not modified by NAT, all of the
problems you mention are addressed.  Nomadic SKIP hosts on the
Internet should also be possible although I've not tried this yet.

Now, if only I could stop the duplicate packets bouncing around the
tunnel...

> Were you able to get the FreeBSD Skip-1.0 port to compile on 3.1?

Apparently it won't work with LKM and needs a KLM rewrite.  

Regards,
Terry.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?er9qxh2x8.fsf>