I have a question about SKIP that I hope someone can help me with. We are
testing a set-up that will allow employees to access our internal network
from home and also allow us to connect to partners' sites using SKIP. The
two set-ups are shown below:
Employee access Partner site access
----------------- ---------------------
home-pc partner network
| |
| |
| |
| |
SKIP firewall SKIP firewall
| |
| |
| |
| |
internal host(s) SKIP firewall
|
|
|
|
internal host(s)
Access between both the home-pc and SKIP firewall/gateway and between the
two SKIP firewall/gateways is across the local cable companies network
(ie - Internet/untrusted network). The product(s) that we are testing is
Sun's SKIP and their EFS software that runs on the SKIP firewall. We have
also done the same test using just SKIP - without the EFS. Connecting to an
internal host from the PC (using SKIP for Win95) was working until the
cable company reconfigured their routers. We are using an "unregistered"
network address on our internal network and it turns out that packets being
sent back to the PC have a source address of the internal machine. The
routers are configured to drop any packets that *don't* have a source
address of the our DMZ. Sooo, my question is does any one know how to
configure SKIP (or EFS) so that the packets going back to the PC through
the SKIP firewall have the source address re-written with the address of
the external interface of that machine. We did get this to work using EFS,
but the PC doesn't seem to want to look inside that packet to find the
*real* IP packet. Is there something that we need to configure on the PC to
see the encrypted packet? Or is there something else missing in the config
of the SKIP firewall? Also, is the set-up we are trying to achieve with our
business partners possible just using SKIP? Its probably possible with SKIP
and EFS, but we don't want to have all our partners go out and by a new
Sparc and SKIP/EFS. We are hoping we can use Solaris x86 and SKIP for the
SKIP firewalls/gateways.
The home-pc has been configured to use encryption between itself and the
external interface of the SKIP gateway and also between itself and the
internal network using the SKIP gateway as the "tunnel".
The SKIP firewall/gateway is a Sparc Ultra running both SKIP and EFS. We
are also testing using another gateway running Solaris x86 with just
SKIP. Both are running Solaris 2.5.1.
The local Sun SE's have not been able to resolve the question yet. They
also tell me that SKIP encrypts the entire IP packet and puts it into
another packet (as the data portion) regardless of whether the packet is
going through a tunnel or not. Is this true?
Any help would be *very* appreciated.
Bret Robinson
| Bret Robinson, Snr. System Admin \ Voice: +1-403-213-8413 |
| Applied Terravision Systems, Inc. \ Fax: +1-403-264-2122 |
| Calgary, Alberta Canada \ Web site: www.atsi.com |
| BRobinson @
atsi .
com \ |
| "Keep your stick on the ice" \___ o <- puck (for US viewers) |
Follow-Ups:
|
|
