<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: setting up cipe between 2 linux machines
From: "Tom Van Overbeke" <Tvanoverbeke,AT,atos,DOT,be>
Date: Tue, 24 Dec 2002 11:30:32 +0100


Hi,
?
I can't get cipe to work on my setup:<FONT 
face=Arial size=2>
?
???? ?? 
tvo?????????? 
------------------??????? 
INTERNET?????----------??? 
FIREWALL?? ----- suitespot2
<dynamic ip 
address>????????????????????????????????????????????????????
?
VPN: 192.168.100.1 on port 
8080?????????????????????????????????????????????????????????????? 
VPN 192.168.100.2 on port 8080
?
?
tvo is my home linux server that is connected to 
the internet via cable modem (using dhcp). via a dyndns style service i can 
connect to it over the internet using a xxxx.xxxxx.org hostname. (example ssh 
-p 
8080 xxx.xxxxx.org works)
suitespot2 is a linux server at work from which i 
can connect to server tvo on port 8080.
example:
?
[root@suitespot2 cipe]# nmap -sU -p 8080 
xxxx.xxxxx.org
?
Starting nmap V. 2.54BETA22 ( <A 
href="http://www.insecure.org/nmap/";>www.insecure.org/nmap/ )Interesting 
ports on 87ACDEDF.kabel.telenet.be 
(213.119.xxx.xxx):Port?????? 
State?????? Service8080/udp?? 
open??????? 
unknown???????????????? 

so udp traffic is clearly possible from suitespot2 
towards tvo, although the incoming connection will appear to be from 
FIREWALL.
?
?
this is the /etc/cipe/options file on tvo: (i want 
it to wait for connections so i specified peer 0.0.0.0:8080)
?
# the peer's IP 
addressptpaddr???????? 
192.168.100.2# our CIPE device's IP 
addressipaddr????????? 
192.168.100.1# my UDP address. Note: if you set port 0 here, the system will 
pick# one and tell it to you via the ip-up script. Same holds for IP 
0.0.0.0.me????????????? 
xxxx.xxxxxxx.org:8080# ...and the UDP address we connect to. Of course no 
wildcards 
here.peer??????????? 
0.0.0.0:8080# The static key. Keep this file secret!# The key is 128 
bits in hexadecimal 
notation.key???????????? 
xxxxxxxxxxxxxxxxxxxxx
?
this is the /etc/cipe/options file on suitespot2: 
(this server should initiate the vpn connection)
?
# the peer's IP addressptpaddr?? 
192.168.100.1# our CIPE device's IP addressipaddr??? 
192.168.100.2# my UDP address. Note: if you set port 0 here, the system will 
pick# one and tell it to you via the ip-up script. Same holds for IP 
0.0.0.0.me??????? suitespot2:8080# 
...and the UDP address we connect to. Of course no wildcards 
here.peer????? xxxx.xxxxxxxxx.org:8080# The 
static key. Keep this file secret!# The key is 128 bits in hexadecimal 
notation.key?????? 
xxxxxxxxxxxxxxxxxxxxx
?
in both cipe.log files, i see the following entries 
appear when i start the ciped-cb process:
?
on tvo: Dec 24 10:47:38 UP?? cipcb0 
xxx.xxx.xxx.xxx:8080 6541 192.168.100.1 192.168.100.2
on suitespot2: Dec 24 10:49:25 UP?? 
cipcb0 172.21.3.14:8080 7012 192.168.100.2 192.168.100.1
?
when i start ciped-cb with the debug option, i get 
this output on tvo:
?
[root@tvo log]# ciped-cb debugCIPE daemon vers 
1.5.4 (c) Olaf Titz 
1996-2000device=(none)debug=yesipaddr=192.168.100.1ptpaddr=192.168.100.2mask=bcast=mtu=0metric=0cttl=0me=213.119.189.223:8080peer=0.0.0.0:8080key=(secret)nokey=nosocks=tokxc=0tokey=0ipup=(none)ipdown=(none)arg=(none)maxerr=8tokxts=0tokey=0ipup=(none)ipdown=(none)arg=(none)maxerr=8tokxts=0ping=0toping=0dynip=nohwaddr=(none)ifconfig=nochecksum=noUsing
 
cipcb0 index 0sending CT_CONFREQreceived CT_CONFREQsending 
CT_CONFpeer configuration info: proto=3, crypto=b, version=1.5, correct key 
parserreceived CT_CONFpeer configuration info: proto=3, crypto=b, 
version=1.5, correct key parser
?
then, i start ciped-cb debug on 
suitespot2:
?
[root@suitespot2 cipe]# ciped-cb debugCIPE 
daemon vers 1.5.4 (c) Olaf Titz 
1996-2000device=(none)debug=yesipaddr=192.168.100.2ptpaddr=192.168.100.1mask=bcast=mtu=0metric=0cttl=0me=172.21.3.14:8080peer=213.119.189.223:8080key=(secret)nokey=nosocks=tokxc=0tokey=0ipup=(none)ipdown=(none)arg=(none)maxerr=8tokxts=0ping=0toping=0dynip=nohwaddr=(none)ifconfig=nochecksum=noUsing
 
cipcb0 index 0sending CT_CONFREQ
?
and that's where it all ends. ifconfig -a show 
cipcb0 on both ends as up:
?
on tvo:
?
cipcb0??? Link encap:IPIP 
Tunnel? HWaddr?? 
????????? inet 
addr:192.168.100.1? P-t-P:192.168.100.2? 
Mask:255.255.255.255????????? 
UP POINTOPOINT RUNNING NOARP? MTU:1442? 
Metric:1????????? RX packets:0 
errors:0 dropped:0 overruns:0 
frame:0????????? TX packets:0 
errors:0 dropped:0 overruns:0 
carrier:0????????? collisions:0 
txqueuelen:100 ????????? RX 
bytes:0 (0.0 b)? TX bytes:0 (0.0 b)
?
on suitespot2:
?
cipcb0??? Link encap:IPIP 
Tunnel? HWaddr?? 
????????? inet 
addr:192.168.100.2? P-t-P:192.168.100.1? 
Mask:255.255.255.255????????? 
UP POINTOPOINT RUNNING NOARP? MTU:1442? 
Metric:1????????? RX packets:0 
errors:0 dropped:0 overruns:0 
frame:0????????? TX packets:0 
errors:0 dropped:0 overruns:0 
carrier:0????????? collisions:0 
txqueuelen:100 ????????? RX 
bytes:0 (0.0 b)? TX bytes:0 (0.0 b)
?
but i can only ping the local 192.168.100.x 
address, not the remote one.
?
?
ip forwarding is set on both hosts: 
?
[root@suitespot2 cipe]# cat 
/proc/sys/net/ipv4/ip_forward 1
on tvo, i need to force the cipcb module to load 
(insmod -f cipcb) because of the error: 
/lib/modules/2.4.18-14/misc/cipcb.o was compiled 
for kernel version 2.4.18-14custom? while this kernel is version 
2.4.18-14but other than that it does seem to work.
?
i have iptables running on tvo, and i'm allowing 
all udp traffic to port 8080 via the NIC which is connected to the 
internet:
ACCEPT???? udp? --? 
eth1?? *?????? 
0.0.0.0/0??????????? 
0.0.0.0/0????????? udp 
dpt:8080
?
I'm also logging all traffic of this 
nature:
LOG??????? 
udp? --? eth1?? *?????? 
0.0.0.0/0??????????? 
0.0.0.0/0????????? udp dpt:8080 LOG 
flags 0 level 4 prefix `*** INCOMING UDP 8080 *** ' 
?
but strangely enough, so far i haven't had any 
incoming UDP packet on 8080 ? i would have assumed to see this traffic when i 
start ciped-cb on the client (suitespot2). but nmap says the port is open, so 
???
?
?
I hope someone can help me out, cause i really 
would like to get this stuff working.
?
?
?
thanks in advance,
?
?
Tom.
?
?
?
?
?
?
?
--Tom Van OverbekeCCN/TC System & 
Network Admin
?
Atos OriginImperiastraat, 10B-1930 
Zaventem??? BELGIUMTel: +32 2 712 2824Fax: +32 2 402 07 
50****************************************************************************
Disclaimer: 
This electronic transmission and any files attached to it are strictly 
confidential and intended solely for the addressee. If you are not 
the intended addressee, you must not disclose, copy or take any
action in reliance of this transmission. If you have received this 
transmission in error, please notify the sender by return and delete
the transmission.  Although the sender endeavors to maintain a
computer virus free network, the sender does not warrant that this
transmission is virus-free and will not be liable for any damages 
resulting from any virus transmitted. 
Thank You.
****************************************************************************





<< | Thread Index | >> ]    [ << | Date Index | >> ]