Stoppt die Vorratsdatenspeicherung! Jetzt klicken & handeln!
niemueller.de::home niemueller.de
Open Software. Open Knowledge.


Home
About
Blog
Links
Projects
Software
Webmin
University
Wiki
 • Contents
 • Recent Changes
Imprint


 

CIPE RoadWarrior



Ever wondered why your machine did not get a connection to your server via CIPE (http://sites.inka.de/sites/bigred/devel/cipe.html)? I did! And it took me an hour to figure it out and so this is mainly a note to myself...

I used a RedHat 7.2 machine as the server and a RedHat 7.3 machine as client. (For the picky ones: Both machines had a 2.4.18 kernel that came directly from the quality assurance lab of RedHat...). CIPE was of version 1.4.5, just RPMs. For general information on how to setup a CIPE VPN on RedHat see http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-vpn.html. I am not the one to ask for that!

So what is the real Problem with this? There is a fancy GUI to configure the connection and we should be up and running in a minute. Wrong! Why? The interface on the server has been configured to peer address "0.0.0.0". This sounds really good, as you would think it means "listen to all interfaces". Wrong again! It binds to "127.0.0.1:<port>". So we have to tell the server side ciped to bind to the interface that the connections will be coming in from (which probably will not be the loopback device, paranoid!). The first config used on the server side looked like this (assumed that the client network is 192.168.0.0/24 and the server network 192.168.8.0/24 and we use port 7777 on both ends):



server:/etc/sysconfig/network-scripts/ifcfg-cipcb0.old: 
USERCTL=no
DEVICE=cipcb0
IPADDR=192.168.8.4
TYPE=CIPE
ONBOOT=no
MYPORT=7777
PTPADDR=192.168.0.4
PEER=0.0.0.0
PEERDNS=no


Now we remove the MYPORT option and tell the ciped explicitly the interface to bind to using the ME setting.

server:/etc/sysconfig/network-scripts/ifcfg-cipcb0: 
USERCTL=no
DEVICE=cipcb0
IPADDR=192.168.8.4
TYPE=CIPE
ONBOOT=no
PTPADDR=192.168.0.4
PEER=0.0.0.0
ME=<EXTERNAL IP>:7777
PEERDNS=no


Replace <EXTERNAL IP> with the external IP.

Here the client config for the curious:

client:/etc/sysconfig/network-scripts/ifcfg-cipcb0: 
USERCTL=no
DEVICE=cipcb0
IPADDR=192.168.0.4
TYPE=CIPE
ONBOOT=no
MYPORT=7777
PTPADDR=192.168.8.4
PEER=<SERVER IP>:7777
TUNNELDEV=eth0
ME=192.168.0.2
PEERDNS=no


Now have fun and encrypt all your traffic (no, not loopback, paranoid!). If you want to be interoberable with other systems consider IPsec, I use it for most VPN traffic. VPNs between Windoze and Linux though are much simpler with CIPE and if you are behind an NAT gateway it is also the simpler approach (although there are patches to get IPSec running behind NAT).
    Home     Contents     Search     View other revisions     Recent changes    




Top 5 Pages
Wiki
WebLog
SquidGuard Webmin Module
IPtables Webmin Module
Network Utilities Webmin Module


Palm Software
UniMatrix UniMensa UniSorter
UniChat OHS Mobile Onager


My Bookshelf




Valid XHTML 1.1!

RSS Copyright © 2000-2009 by Tim Niemueller