Hi P�r
Yeah, you're right, there is not a lot of documentation out there about CIPE
and LEAF. Unfortunately, the documents on the CIPE Homepage are in a very
unhandy format.
But there is a CIPE HowTO. Please read
http://www.linuxdoc.org/HOWTO/mini/Cipe+Masq.html
You don't have to change your Firewall scripts like in this document. (I
mean, you don't have to change everything as it is in this HowTo), but
especially the CIPE example config files are interesting.
What you have to change to your network.conf is only:
Open the UDP ports which CIPE uses, allow everything on the virtual
interface and allow forwarding to the remote subnet. Tom Eastep and I (not
together, I made some changes) wrote a script for IPIP tunnels and nearly
everything is exactly the same if we look at the ipchains rules. Here is
what you have to add for IPIP tunnels:
ipchains -I input -j ACCEPT -p 4 -s $gateway
ipchains -I output -j ACCEPT -p 4 -d $gateway
ipchains -I input -j ACCEPT -i $tunnel
ipchains -I output -j ACCEPT -i $tunnel
ipchains -I forward -j ACCEPT -b -s $mysubnet -d $remotesubnet
Because IPIP is a seperate IP Protocol (not UDP and not TCP, something
else), you have to open Protocol 4. But CIPE uses UDP so you can replace "4"
with "udp" and add port numbers. The rest is the same. Accept everything on
the new virtual interface (input and output) and allow forwarding. CIPE
rules would look like this:
ipchains -I input -j ACCEPT -p udp -s $gateway:[CIPEUDPSRCPORT] -d
$myip:[CIPEUDPDSTPORT]
ipchains -I output -j ACCEPT -p udp -s $myip:[CIPEUDPSRCPORT] -d
$gateway:[CIPEUDPDSTPORT]
ipchains -I input -j ACCEPT -i $cipeinterface
ipchains -I output -j ACCEPT -i $cipeinterface
ipchains -I forward -j ACCEPT -b -s $mysubnet -d $remotesubnet
OK, but here comes the problem: I NEVER set up a CIPE tunnel! I only have
IPIP tunnels running (we don't need encryption). I only have compiled CIPE
because I thought I'll switch from IPIP to CIPE. But there is no need for
encryption yet.
So please don't take my examples as they are, perhaps i missed something,
but I'm pretty sure that these rules work.
My tip:
Use as much as possible the options in network.conf and don't add these
ipchains rules directly to ipfilter.conf. I don't know what about adding the
rules to the CIPE config files. (are the executable?)
To your other questions:
No, you don't have to use IPSEC kernel. Not at all.
IPSEC is completely different from CIPE. CIPE don't need a special kernel.
On the other hand, CIPE is very tricky. It ONLY runs on the kernel which it
is compiled for. I don't know if my CIPE package still works with Charles
dachstein-3 kernel (2.2.19-3). It is compiled for 2.2.19-1.
Please note that my ciped-1.lrp package only works with floppy kernels. If
you're running an IDE enabled kernel, please replace the CIPE binaries with
these: http://leaf.sourceforge.net/devel/sminola/files/devel/cipe-146-IDE/
If you have more questions, feel free to ask, but please CC your mail to the
list. I'll CC this too.
---
Sandro Minola | LEAF Developer (http://leaf.sourceforge.net)
mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED]
http://www.minola.ch | http://leaf.sourceforge.net/devel/sminola
-
worldcontrol:~ # rm -rf /bin/laden
> -----Original Message-----
> From: P�r Johansson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 06, 2001 10:09 PM
> To: [EMAIL PROTECTED]
> Subject: Need help with Cipe setup
>
>
> Hello
> I want to setup some VPN's but having trouble finding some good
> documentation on Ciped-1.lrp.
> I'm kind of a new bee on Linux, but I understand that You know a lot
> about Cipe.
> Could You please make me a step by step instruction on setting up Cipe
> on my Dachstein 1.0.2 (disk) LRP's?
> I know how to install the package but settings????
> Can I use the IPSec enabled kernel?
> On the office side std eth-eth static IP, external IP 213.199.64.62,
> local net 192.168.1.0/24, LRP IP 192.168.1.254.
> On the home side std eth-eth static IP, external IP 213.199.64.63, local
> net 192.168.2.0/24, LRP IP 192.168.2.254.
>
>
> TIA
> P�r Johansson
> Sweden
>
>
>
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
