This should be my last act of arrogance in 2001 ;-) I've drafted this how-to on how to get Sandro Minola's ciped-1 package working on LRP (Dachstein). It's arrogant because I haven't been able to get cipe working myself work yet! But I think I'm pretty close and the How-to includes some troubleshooting that should help others.
If anyone interested in cipe could have a look at it and tell me if there are any obvious errors, I will update it and make it available. Once I've got cipe working, I'm going to turn my attention to IPsec and will write that up as it goes along if there is a demand. Happy New Year everyone and thanks to Charles, Sandro and the many others who work so hard to make this stuff available. Lee CIPE on LRP how-to -Getting and installing the software- Grab the latest ciped-1 package from Sandro Minola's package archive at: http://leaf.sourceforge.net/devel/sminola/files/packages Save it to your LRP floppy and tell LRP to call it on boot by editing either syslinux.cfg (if you boot LRP from a floppy) or the lrpkg.cfg (if you boot from a floppy or a CD) file. Edit it by adding ciped-1 to the end of the line that starts "LRP=" -Configuring cipe on LRP- Boot the system and make sure that cipe is being loaded. If it is, you should see error messages in the boot display that show that cipe is unable to load the cipe modules using the parameter "my.hostname.here" and "peer.hostname.here". This is a good sign. It means that the ciped-1 package has dumped the cipecb module in the /lib/modules directory and the options files into the /etc/cipe directory. The two options files in the /etc/cipe directory are used to configure two cipe tunnels. We only need to configure one tunnel. (Is that right?) We're going to assume that you want to use cipe to link two subnets, each of which is attached to eth1 of each of your LRP firewalls. Firewall 1's eth1 subnet is 192.168.1.0/24 and Firewall 2's eth1 subnet is 192.168.2.0/24. The network looks like this: (clean up ASCIIgram!) 192.168.1.254 eth1 ---+----------| |----------+- eth1 192.168.2.254 |Firewall 1+- eth0 111.22.333.4-<WAN>-111.22.333.55 eth0 --+Firewall 2| 192.168.1.253 cipcb0 -+----------| |----------+- cipcb0 192.168.2.253 You tell cipe this information either by using LRP's lrcfg menu system and going to Packages | CIPE | Options or by using vi to edit the options files in each firewall's /etc/cipe directory On Firewall 1 /etc/cipe/options.cipcb0 should look like this: # the peer's IP address ptpaddr 192.168.2.253 # our CIPE device's IP address ipaddr 192.168.1.253 # my UDP address. Note: if you set port 0 here, the system will pick # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. me 111.22.333.4:9990 # ...and the UDP address we connect to. Of course no wildcards here. peer 111.22.333.55:9990 # The static key. Keep this file secret! # The key is 128 bits in hexadecimal notation. key 3248fd20adf9c00ccf9ecc2393bbb3e4 On Firewall 2 /etc/cipe/options.cipcb0 should look like this: # the peer's IP address ptpaddr 192.168.1.253 # our CIPE device's IP address ipaddr 192.168.2.253 # my UDP address. Note: if you set port 0 here, the system will pick # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. me 111.22.333.55:9990 # ...and the UDP address we connect to. Of course no wildcards here. peer 111.22.333.4:9990 # The static key. Keep this file secret! # The key is 128 bits in hexadecimal notation. key 3248fd20adf9c00ccf9ecc2393bbb3e4 Save your edits. Do a *full* backup of the ciped-1 package to floppy and reboot. Note: that if you do a *partial* backup of a package that you are loading from a floppy then you will lose the modules from your /lib/modules directory and cipe will not work. When the machines come back up, watch the boot messages for any signs of problems. If there are none, test that you have got it right so far. At the command line issue the command: ip add on each firewall to see if your cipcb module has loaded and picked up the IP address you want to bind to it. On Firewall 2 in our example network you should see an entry similar to the one below (though you will probably have a lower index number than 9 ;-)): 9: cipcb0: <POINTOPOINT,NOARP,NOTRAILERS,UP> mtu 1442 qdisc pfifo_fast qlen 100 link/ipip 00:00:5e:83:62:00 peer 00:00:00:00:00:00 inet 192.168.2.253 peer 192.168.1.253/32 scope global cipcb0 Ping the IP address to see if it is listening and responds. p75firewall: -root- # ping 192.168.2.253 PING 192.168.2.253 (192.168.2.253): 56 data bytes 64 bytes from 192.168.2.253: icmp_seq=0 ttl=255 time=3.2 ms 64 bytes from 192.168.2.253: icmp_seq=1 ttl=255 time=1.3 ms Now check that the ciped-1 package correctly loaded the route for the peer firewall's subnet by issuing: ip route On Firewall 2 of our example network, you should see in the output something like: p75firewall: -root- # ip route 192.168.1.253 dev cipcb0 proto kernel scope link src 192.168.2.253 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.254 111.22.333.0/22 dev eth0 proto kernel scope link src 111.22.333.55 default via 111.22.333.1 dev eth0 -Configuring the firewall's ipchains to pass cipe- You need to set LRP's ipchains packet filter to allow incoming UDP packets on port 9990. In the Dachstein release you can easily do this by editing the /etc/network.conf file. You can edit it either by using the lrcfg menu or by using vi to edit it directly at /etc/network.conf Look for a line that starts: EXTERN_UDP_PORT There are several lines in the /etc/network.conf file that start with EXTERN_UDP_PORT. They show different ways of configuring external ports. Choose whichever you understand or whichever seems appropriate. On Firewall 2 I use: EXTERN_UDP_PORT0="111.22.333.55 9990 192.168.2.253" where 111.22.333.4 is the IP address of my Dachstein boxes' external or eth0 interface. 9990 is the UDP port number and 192.168.2.253 is the IP address of Firewall 1's interface on the internal subnet. In our example network, the Firewall 1 box should have EXTERN_UDP_PORT0="111.22.333.4 9990 192.168.1.253" Question: is the above the correct setting? Presumably it sets the input and forward chains to accept these packets? Save the changes, back up to the floppy and reboot. When the firewalls come up, you should be able to ping the peer firewall's internal ethernet IP address from each firewall. Issue the command: # ping -Other issues to resolve:- On booting the firewall, CIPE produces an error that says it cannot use options cipcb1 - Do you simply delete this file to get rid of this error message? Pinging the peer firewall's internal interface causes the firewall you are pinging from to crash. Have no idea what this is about yet. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
