From owner-freebsd-hackers Wed Mar 10 5:48:24 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from finch-post-10.mail.demon.net (finch-post-10.mail.demon.net [194.217.242.38]) by hub.freebsd.org (Postfix) with ESMTP id 2D66A150F9 for ; Wed, 10 Mar 1999 05:48:22 -0800 (PST) (envelope-from terry@ppsl.demon.co.uk) Received: from [158.152.16.214] (helo=yeoman.ppsl.co.uk) by finch-post-10.mail.demon.net with esmtp (Exim 2.12 #1) id 10KjLA-0000va-0A; Wed, 10 Mar 1999 13:48:04 +0000 To: "Jim Flowers" , Subject: Re: Tunnel loopback References: <000d01be6a7e$39343960$abd396ce@ivy.ezo.net> From: Terry Glanfield Date: 10 Mar 1999 13:47:31 +0000 In-Reply-To: "Jim Flowers"'s message of "Tue, 9 Mar 1999 17:43:16 -0500" Message-Id: Lines: 33 X-Mailer: Gnus v5.6.44/Emacs 19.34 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Jim Flowers" writes: > There is a basic problem with your strategy. SKIP is unidirectional and the > inbound packets will have to be received on the configured interface to be > authenticated. Exactly. Along with the rule for the internal interface: pass in quick on ed0 to tun0 all I have a rule on the external interface to redirect SKIP packets to the tunnel: pass in quick on ed1 to tun0 proto skip all Similarly for UDP port 1640. I've tested this and it works admirably (except for the duplicate packets mentioned earlier). The object is to move SKIP from its position closest to the wire to a point before NAT occurs. Then, so long as the SKIP packets have a properly rewritten source address and are not modified by NAT, all of the problems you mention are addressed. Nomadic SKIP hosts on the Internet should also be possible although I've not tried this yet. Now, if only I could stop the duplicate packets bouncing around the tunnel... > Were you able to get the FreeBSD Skip-1.0 port to compile on 3.1? Apparently it won't work with LKM and needs a KLM rewrite. Regards, Terry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message