Hi Lee, Hi all > It's arrogant because I haven't been able to > get cipe working myself work yet! But I think I'm pretty close and the > How-to includes some troubleshooting that should help others.
As I mentioned in another thread, I don't use CIPE either and didn't tried to use it yet. The only thing I tested was loading the modules and assigning an IP to the CIPE interface (and some other things). I didn't use it in real yet. But I know some people who are successfully running CIPE on LEAF with my package. They are all on the list and you may search the list for "cipe" and you'll find the threads. Christopher [crayon AT leechbox DOT net] John Hamill [jh AT lan1 DOT com DOT au] Etienne Charlier [ECharlier AT wanadoo DOT be] I hope those people aren't upset about my posting with their names. > I've drafted this how-to on how to get Sandro Minola's ciped-1 package > working on LRP (Dachstein). Etienne and John found out, that using my original ciped-1.lrp on an IDE-enabled kernel doesn't work. You'll get seg faults. I compiled the cipe binaries for IDE kernels but didn't make a package out of it. Christopher had to do this for himself because he's using an IDE enabled kernel. I asked him to send me his new package (he replaced the binaries). Both, IDE package and IDE binaries are available on my devel space: http://leaf.sourceforge.net/devel/sminola/files/devel/cipe-146-IDE/ http://leaf.sourceforge.net/devel/sminola/files/packages/ For those who speaks german (of course, others may visit it too, some things are in english anyway): My new (german) LEAF homepage is online. There is some documentation, links, files (inlcuding these mentioned above) and a forum for questions. My old one (which I'm sure some of you know) was ugly and outdated. Have a nice week --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch | http://leaf.sourceforge.net/devel/sminola - worldcontrol:~ # rm -rf /bin/laden > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Lee Kimber > Sent: Tuesday, January 01, 2002 1:35 AM > To: [EMAIL PROTECTED] > Subject: [Leaf-user] Draft CIPE on LRP how-to > > > This should be my last act of arrogance in 2001 ;-) > > I've drafted this how-to on how to get Sandro Minola's ciped-1 package > working on LRP (Dachstein). It's arrogant because I haven't been able to > get cipe working myself work yet! But I think I'm pretty close and the > How-to includes some troubleshooting that should help others. > > If anyone interested in cipe could have a look at it and tell me if there > are any obvious errors, I will update it and make it available. > > Once I've got cipe working, I'm going to turn my attention to IPsec and > will write that up as it goes along if there is a demand. > > Happy New Year everyone and thanks to Charles, Sandro and the many others > who work so hard to make this stuff available. > > Lee > > > CIPE on LRP how-to > > -Getting and installing the software- > Grab the latest ciped-1 package from Sandro Minola's package archive at: > http://leaf.sourceforge.net/devel/sminola/files/packages > Save it to your LRP floppy and tell LRP to call it on boot by editing > either syslinux.cfg (if you boot LRP from a floppy) or the lrpkg.cfg (if > you boot from a floppy or a CD) file. > Edit it by adding ciped-1 to the end of the line that starts "LRP=" > > -Configuring cipe on LRP- > Boot the system and make sure that cipe is being loaded. If it is, you > should see error messages in the boot display that show that cipe > is unable > to load the cipe modules using the parameter "my.hostname.here" and > "peer.hostname.here". > This is a good sign. It means that the ciped-1 package has dumped the > cipecb module in the /lib/modules directory and the options files > into the > /etc/cipe directory. The two options files in the /etc/cipe directory are > used to configure two cipe tunnels. We only need to configure one tunnel. > (Is that right?) > > We're going to assume that you want to use cipe to link two subnets, each > of which is attached to eth1 of each of your LRP firewalls. Firewall 1's > eth1 subnet is 192.168.1.0/24 and Firewall 2's eth1 subnet is > 192.168.2.0/24. > > The network looks like this: > (clean up ASCIIgram!) > > 192.168.1.254 eth1 > ---+----------| > |----------+- > eth1 192.168.2.254 > |Firewall 1+- eth0 > 111.22.333.4-<WAN>-111.22.333.55 > eth0 --+Firewall 2| > 192.168.1.253 cipcb0 > -+----------| |----------+- > cipcb0 192.168.2.253 > > > You tell cipe this information either by using LRP's lrcfg menu > system and > going to Packages | CIPE | Options or by using vi to edit the > options files > in each firewall's /etc/cipe directory > > On Firewall 1 /etc/cipe/options.cipcb0 should look like this: > > # the peer's IP address > ptpaddr 192.168.2.253 > # our CIPE device's IP address > ipaddr 192.168.1.253 > # my UDP address. Note: if you set port 0 here, the system will pick > # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. > me 111.22.333.4:9990 > # ...and the UDP address we connect to. Of course no wildcards here. > peer 111.22.333.55:9990 > # The static key. Keep this file secret! > # The key is 128 bits in hexadecimal notation. > key 3248fd20adf9c00ccf9ecc2393bbb3e4 > > On Firewall 2 /etc/cipe/options.cipcb0 should look like this: > > # the peer's IP address > ptpaddr 192.168.1.253 > # our CIPE device's IP address > ipaddr 192.168.2.253 > # my UDP address. Note: if you set port 0 here, the system will pick > # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. > me 111.22.333.55:9990 > # ...and the UDP address we connect to. Of course no wildcards here. > peer 111.22.333.4:9990 > # The static key. Keep this file secret! > # The key is 128 bits in hexadecimal notation. > key 3248fd20adf9c00ccf9ecc2393bbb3e4 > > Save your edits. Do a *full* backup of the ciped-1 package to floppy and > reboot. Note: that if you do a *partial* backup of a package that you are > loading from a floppy then you will lose the modules from your > /lib/modules > directory and cipe will not work. > > When the machines come back up, watch the boot messages for any signs of > problems. If there are none, test that you have got it right so > far. At the > command line issue the command: > ip add > on each firewall to see if your cipcb module has loaded and picked up the > IP address you want to bind to it. > > On Firewall 2 in our example network you should see an entry > similar to the > one below (though you will probably have a lower index number than 9 ;-)): > 9: cipcb0: <POINTOPOINT,NOARP,NOTRAILERS,UP> mtu 1442 qdisc > pfifo_fast qlen 100 > link/ipip 00:00:5e:83:62:00 peer 00:00:00:00:00:00 > inet 192.168.2.253 peer 192.168.1.253/32 scope global cipcb0 > > > Ping the IP address to see if it is listening and responds. > p75firewall: -root- > # ping 192.168.2.253 > PING 192.168.2.253 (192.168.2.253): 56 data bytes > 64 bytes from 192.168.2.253: icmp_seq=0 ttl=255 time=3.2 ms > 64 bytes from 192.168.2.253: icmp_seq=1 ttl=255 time=1.3 ms > > > Now check that the ciped-1 package correctly loaded the route for > the peer > firewall's subnet by issuing: > ip route > On Firewall 2 of our example network, you should see in the output > something like: > p75firewall: -root- > # ip route > 192.168.1.253 dev cipcb0 proto kernel scope link src 192.168.2.253 > 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.254 > 111.22.333.0/22 dev eth0 proto kernel scope link src 111.22.333.55 > default via 111.22.333.1 dev eth0 > > > -Configuring the firewall's ipchains to pass cipe- > You need to set LRP's ipchains packet filter to allow incoming > UDP packets > on port 9990. In the Dachstein release you can easily do this by editing > the /etc/network.conf file. You can edit it either by using the > lrcfg menu > or by using vi to edit it directly at /etc/network.conf > Look for a line that starts: EXTERN_UDP_PORT > There are several lines in the /etc/network.conf file that start with > EXTERN_UDP_PORT. They show different ways of configuring external ports. > Choose whichever you understand or whichever seems appropriate. > On Firewall 2 I use: > EXTERN_UDP_PORT0="111.22.333.55 9990 192.168.2.253" > where 111.22.333.4 is the IP address of my Dachstein boxes' external or > eth0 interface. 9990 is the UDP port number and 192.168.2.253 is the IP > address of Firewall 1's interface on the internal subnet. > > In our example network, the Firewall 1 box should have > EXTERN_UDP_PORT0="111.22.333.4 9990 192.168.1.253" > > Question: is the above the correct setting? Presumably it sets the input > and forward chains to accept these packets? > > Save the changes, back up to the floppy and reboot. > > When the firewalls come up, you should be able to ping the peer > firewall's > internal ethernet IP address from each firewall. > Issue the command: > # ping > > -Other issues to resolve:- > On booting the firewall, CIPE produces an error that says it cannot use > options cipcb1 - Do you simply delete this file to get rid of this error > message? > Pinging the peer firewall's internal interface causes the > firewall you are > pinging from to crash. Have no idea what this is about yet. > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
