The network cards are to SEPARATE physical networks. The NATD interface is to
an internet accessible LAN and the SKIP interface is to a company WAN. The
tunnel is routed through the company WAN, not the internet.
Michael
-----Original Message-----
From: Jim Flowers [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 30, 1998 10:28 AM
To: Austin, Michael H POJ; 'Eric J. Schwertfeger';
[EMAIL PROTECTED]
Subject: Re: SKIP and natd on FreeBSD 2.2-current
That makes sense and there's no reason why it shouldn't work.
Do you have
both cards connected to the same physical network and is your
tunnel routed
over the Internet, also?
-----Original Message-----
From: Austin, Michael H POJ
<[EMAIL PROTECTED]>
To: 'Eric J. Schwertfeger' <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
Date: Tuesday, September 29, 1998 9:16 PM
Subject: RE: SKIP and natd on FreeBSD 2.2-current
>I've been running SKIP and NATD on the same machine
successfully for about
five
>days now.
>Although they are running on the same machine they are running
on DIFFERENT
>network cards.
>I use SKIP to tunnel between two LANs and NATD to communicate
to the
internet in
>the clear.
>I'm running FreeBSD 2.2.5 with no special ipfw rules besides
the divert to
the
>natd port.
>So far things are running just fine. Performance is good.
>
>Michael
>
> -----Original Message-----
> From: Eric J. Schwertfeger [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, September 27, 1998 6:17 AM
> To: [EMAIL PROTECTED]
> Subject: Re: SKIP and natd on FreeBSD 2.2-current
>
>
> On Thu, 24 Sep 1998, Eric J. Schwertfeger wrote:
>
> > I've got two FreeBSD machines, one 2.2.7-RELEASE and one
> > 2.2.7-19980828-SNAP. The latter machine is a firewall with
>natd running
> > on it. Without configuring natd, we can establish encrypted
> > communications to our hearts content.
> >
> > However, as soon as we insert the ipfw divert rule for natd,
>things go
> > south fast. Basically, we've tried various configurations,
>and we can get
> > one or the other to work, but not both. Even a two-rule
>rc.firewall
> > consisting of just the divert rule and a pass all rule kills
>SKIP if the
> > divirt comes first.
>
> I've narrowed the problem down. Basically, because natd is
>reinserting the
> unencrypted packet into the device (queue?), skip can't tell
>that it's a
> packet that it has already decrypted, so rejects the packet
>because it
> thinks that the given packet was never encrypted, and is
coming
>from a
> host that requires encryption.
>
> Also, is anyone seeing this? I didn't get any replies, and
>haven't seen
> any other traffic on this list since subscribing.
>
