Setting up VPN using CIPE -Reg

02-15-2005, 06:15 AM

We aetting up an VPN to connect an remote office wwith company
network. Both machines having RH9. I set up the CIPE device using the
redhat GUI. Both are activated and is running. The sever (at HO)
cipcb0 is given 192.168.1.103, and the client cipcb0 is
192.168.2.203. the server is connected using stable IP, and the client
is using modem. so the addresses for the modem end is given as
0.0.0.0.

The route entries is given as 192.168.2.0/255.255.255.0 and
192.168.1.0/255.255.255.0, in the respective machines. The firewalls
are temporarily disabled for testing.
1. How can I test the VPN is working ?. pinging 192.168.1.103
/192.168.2.203 from the opposit end do not give any results. The
gateway is not given as the machines are those connected to the
internet. Giving the machines local IP as the gate way does not yeild
any response. Am I missing any thing ? Advice me .

regards,
Raju

02-15-2005, 08:11 AM

On 2005-02-15, Rvk <(E-Mail Removed)> wrote:
> cipcb0 is given 192.168.1.103, and the client cipcb0 is
> 192.168.2.203.

Why two different subnets?

> The route entries is given as 192.168.2.0/255.255.255.0 and
> 192.168.1.0/255.255.255.0, in the respective machines.

A CIPE connection is basically a ptp connection, you should be able
to see packets from machine A coming into machine B in the port you
specified in the tunnel. Be sure that those packets are coming in and
getting out.

Davide

--
NT 5.0 so vaporous it's in danger of being added to the
periodic table as a noble gas.
-- From Slashdot.org

02-15-2005, 08:17 AM

Rvk <(E-Mail Removed)> wrote:
> We aetting up an VPN to connect an remote office wwith company
> network. Both machines having RH9. I set up the CIPE device using the
> redhat GUI.

CIPE apparently has some /serious/ vulnerabilities, as described by
Peter Gutmann, a specialist in the design and analysis of cryptographic
security architectures.

PG's updated critique, which includes a revised coda:
http://www.cs.auckland.ac.nz/~pgut00.../linux_vpn.txt

Olaf Titz's (CIPE author) rebuttal:
http://sites.inka.de/bigred/archive/.../msg00252.html

One "independent" comment:
http://seclists.org/lists/fulldisclo.../Sep/1468.html

Chris

02-15-2005, 10:02 AM

How can I know that the packets are coming in ? That is my problem.
Although i am administering a small Linux network, I am not an expert
at it. that is the problem.
One more thing is that when I done a 'netstat -tupan", I found that
the CIPE port is listening on the local host IP number "127.0.0.1" not
at the internet IP number . but on the client it is properly listening
on the dynamic IP number.
When doing "nmap " from outside (over internet) to both machines with
the IP numbers both do not give any cipcb0 port listening.

Is this proper ? If not How can I correct it ?

Regards,

Raju

02-15-2005, 10:40 AM

On 2005-02-15, (E-Mail Removed) <(E-Mail Removed)> wrote:
> How can I know that the packets are coming in ?

iptraf and tcpdump are your friends:

# tcpdump -i eth1 -n | grep 59807
tcpdump: listening on eth1
12:36:11.355849 ip.of.my.machine.59807 > ip.of.my.peer.59807: udp 280 (DF) [tos 0x10]
12:36:11.377094 ip.of.my.peer.59807 > ip.of.my.machine.59807: udp 72 (DF) [tos 0x10]
12:36:11.377822 ip.of.my.peer.59807 > ip.of.my.machine.59807: udp 72 (DF) [tos 0x10]
12:36:11.378886 ip.of.my.peer.59807 > ip.of.my.machine.59807: udp 120 (DF) [tos 0x10]
12:36:11.383254 ip.of.my.machine.59807 > ip.of.my.peer.59807: udp 616 (DF) [tos 0x10]

> One more thing is that when I done a 'netstat -tupan", I found that
> the CIPE port is listening on the local host IP number "127.0.0.1"

Then maybe you have a wrong configuration for your interface.

# cat /etc/sysconfig/network-scripts/ifcfg-cipcb0
DEVICE=cipcb0
ONBOOT=no
IPADDR=tunnel.ip.my.machine
PTPADDR=tunnel.ip.my.peer
ME=ip.of.my.machine:59807
PEER=ip.of.my.peer:59807

> When doing "nmap " from outside (over internet) to both machines with
> the IP numbers both do not give any cipcb0 port listening.

I hope you have a firewall that is blocking everything BUT the correct
subnet/host, maybe your firewall is blocking the packets.

Davide

--
Why use Windows, since there is a door?

02-15-2005, 01:05 PM

(E-Mail Removed) wrote:

> How can I know that the packets are coming in ? That is my problem.
> Although i am administering a small Linux network,**I*am*not*an*expert
> at it. that is the problem.

Use ethereal. It's a network monitor program, which can be used to monitor
VPNs as well as regular NICs.

It may be included with Red Hat.

Incidentally, OpenVPN might be a better way to go.

02-18-2005, 09:21 AM

using the tcpdump command yeild no result. It just stays there
swithout any activity. When I use the "ethereal " utility listening to
the cipcb0 device, the out going data is detected. But no incoming
data. On the both machines the firewalls are disbled. I am using the
ping method do test connection. Is ping can be used to test the setup
?. What address to be pinged ?
the cipcb0 address i.e., 10.0.0.1 or the LAN IP, 192.168.1.103 ?
The routes are proper. Is there any thing else preventing data coning
in ?
Is there any other method to check the establishment of the connection
?

Regards,
Raju

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
cipe	Dirk Jakobsmeier	Linux Networking	5	03-14-2006 04:00 PM
cannot connect from linux cipe server to windows cipe client	Ann	Linux Networking	4	05-07-2004 08:25 PM
CIPE user authentication	Ann	Linux Networking	0	05-04-2004 11:43 PM
Ftp over cipe(VPN)	Ann	Linux Networking	3	05-04-2004 02:53 PM
CIPE wierdness in RH7.3	Stuart D. Gathman	Linux Networking	0	09-26-2003 04:51 PM