<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: using CIPE
From: Kambiz Aghaiepour <kambiz,AT,redhat,DOT,com>
Date: Wed, 1 Aug 2001 20:13:13 +0200
In-reply-to: <Pine.LNX.4.21.0108011021590.8503-100000@raid.kaico.com>

Resent so others may benefit (Phil, hope that's ok with you):

Based on your reply, I have to suggest a couple of things.  First off, I would
put the cipe connection on a different network address than your existing
network (192.168.10, and 192.168.20). Also, on your second machine, I think
your network interface address for eth0 is wrong.  Take a look in
/etc/sysconfig/network-scripts/ifcfg-eth0 (assuming Red Hat distibution
installed). Did you mean it to be 10.168.20.27 ? (Or perhaps 192.168.20.27).

Ok.  Now, I would select a different network than those two, say: 192.168.30. 
Then on one machine, set your /etc/cipe/options file up to look like:

ptpaddr         192.168.30.27
ipaddr          192.168.30.28
me              192.168.20.28:9000
peer            192.168.20.27:9000
key             SOME_SHARED_KEY_GOES_HERE
maxerr          -1

And then, on the second machine, make /etc/cipe/options be:

ptpaddr         192.168.30.28
ipaddr          192.168.30.27
me              192.168.20.27:9000
peer            192.168.20.28:9000
key             SOME_SHARED_KEY_GOES_HERE
maxerr          -1

Notice that ptpaddr and ipaddr are switched between the two, as well as me and
peer.  Also, I understand that you are just testing, but typically, the cipe
peers are not directly on the same network.  But that shouldn't stop your
testing I guess.

(You can generate the SOME_SHARED_KEY_GOES_HERE by doing:
  dd if=/dev/random bs=512k count=1 | md5sum  
 and pasting the output)

Make sure /etc/cipe/options are mode 0600 and restart your cipe interfaces.
The cipe traffic will go across the 192.168.20.x network / interfaces.  You
should then be able to ping on the 192.168.30.x network, e.g. from
192.168.20.28:

   ping 192.168.30.27

and vice versa.

Once you have done the ping test successfully, you can add network routes for
other network that might be beyond the cipe connection.  e.g.:

   network           (192.168.1.28, 192.168.20.28)
   192.168.1.x ----- cipe box A
                          \__ 192.168.20.x------public router
                                                    |
                                                    |
                     (192.168.2.27, 192.168.10.27)  |
   network   ------- cipe box B                     |
   192.168.2.x            \__ 192.168.10.x --------/

In this picture, lets say network 192.168.1.x is behind cipeA, and 192.168.2.x
is behind cipeB. Then, you configure cipe between cipeA and cipeB as such:

on cipeA, options would read:

ptpaddr         192.168.30.27
ipaddr          192.168.30.28
me              192.168.20.28:9000
peer            192.168.10.27:9000
key             SOME_SHARED_KEY_GOES_HERE
maxerr          -1

on cipeB, options would readh:

ptpaddr         192.168.30.28
ipaddr          192.168.30.27
me              192.168.10.27:9000
peer            192.168.20.28:9000
key             SOME_SHARED_KEY_GOES_HERE
maxerr          -1

This creates the virtual interface between the two that sends encrypted
traffic across "public router".  You could then add network routes for each
side for the internal networks.  e.g. on cipeA you could say:

  route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.30.27

and on cipeB,

  route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.30.28

You can put the route add commands in /etc/cipe/ip-up.local and they should
execute when cipe comes up.  Let me know how things are going.

Good luck,
Kambiz

> Phil Barbier wrote:
> 
> Hi there, thanks very much for your reply - I will try and fill you in, this
> is on one of the machines - ciped-cb is running:-
> 
> cipcb0    Link encap:IPIP Tunnel  HWaddr
>           inet addr:192.168.10.254  P-t-P:192.168.10.1  Mask:255.255.255.255
> 
>           UP POINTOPOINT RUNNING NOARP  MTU:1442  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
> 
> eth0      Link encap:Ethernet  HWaddr 00:E0:7D:7C:C2:6D
>           inet addr:192.168.20.28  Bcast:192.168.20.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:35513 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:14013 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:46 txqueuelen:100
>           Interrupt:10
> 
> eth1      Link encap:Ethernet  HWaddr 00:E0:7D:7C:C2:6C
>           inet addr:192.168.10.28  Bcast:192.168.10.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:36199 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:47214 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:5813 txqueuelen:100
>           Interrupt:11 Base address:0x2000
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:8 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
> 
> and then on the other machine:-
> 
> cipcb0    Link encap:IPIP Tunnel  HWaddr
>           inet addr:192.168.10.254  P-t-P:192.168.10.1  Mask:255.255.255.255
> 
>           UP POINTOPOINT RUNNING NOARP  MTU:1442  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
> 
> eth0      Link encap:Ethernet  HWaddr 00:C0:DF:07:54:9A
>           inet addr:10.168.20.27  Bcast:10.255.255.255  Mask:255.0.0.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           Interrupt:12
> 
> eth1      Link encap:Ethernet  HWaddr 00:E0:7D:7C:C2:77
>           inet addr:192.168.10.27  Bcast:192.168.10.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:14899 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:13468 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:58 txqueuelen:100
>           Interrupt:5 Base address:0x2000
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:8 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
> 
> I've no real clue as to how this stuff works, as I'm still in the learning
> stage,
> so any help would be vastly appreciated,
> 
> Thanks very much,
> 
> Phil.

ewheeler,AT,kaico,DOT,com wrote:
> 
> you need to 'insmod cipcb.o' to get the kernel support for it!  From the
> cipe directory tree, do insmod `find | grep cipcb.o`
> 
> then do 'lsmod' to make sure that it actually inserted into the
> kernel.  Note that the kernel you are running and the source tree in
> /usr/src/linux must be the same!
> 
> --Eric
> 

-- 
\o__O  o       Kambiz Aghaiepour     -       Red Hat, Inc.       o   o
  \_  /|\  Sr. System Administrator  |\|  (919) 547-0012 x251   //\ //\
   |\  |\ -=-=-=-=-=-=-=-=-=-=-=-=-  | | -=-=-=-=-=-=-=-=-=-=-   //  //
  / /  |/  mailto:kambiz,AT,redhat,DOT,com    | http://www.redhat.com   |\  ||





<< | Thread Index | >> ]    [ << | Date Index | >> ]