Skip to main content

Ralsina.Me — Roberto Alsina's website

Setting up VPNs easily with CIPE

2003-09-14 15:10

Short version

This ar­ti­cle should ex­plain how to set­up and con­fig­ure a VPN us­ing CIPE. CIPE may not be stan­dard like IPSec, but it sure is a hell of a lot sim­pler.

Hypnoversion

CIPE is easy. CIPE is very easy. VP­Ns cre­at­ed with CIPE work, and they work well. CIPE is your friend. Life is sim­ple with CIPE. Now you feel sleep­y. Re­al­ly sleep­y. Keep look­ing at the pen­du­lum....

Who should read this

Those who:
  • Need a VPN
  • Have no rea­son to use IPSec
  • Don't know CIPE yet
Or those who:
  • Want to learn about VP­Ns but don't want to use dif­fi­cult soft­ware
Or those who:
  • Took my Lin­ux course, and re­mem­ber that at the VPN class I said I would doc­u­ment it some­day :-)

To those stu­dents I swear there is go­ing to be a span­ish ver­sion very soon, too!

So, what's a VPN and why would I need one?

VPN means Vir­tu­al Pri­vate Net­work. As you all should know, vir­tu­al means "not re­al". So, a VPN is "not a re­al pri­vate net­work".

If that def­i­ni­tion is not good enough, here's a bet­ter one, which is prob­a­bly not what you are go­ing to find in oth­er places:

A VPN is em­u­la­tiong a re­al net­work con­nec­tion us­ing an­oth­er. For ex­am­ple, you can use the in­ter­net con­nec­tions of two hosts to make it look like you have a di­rect con­nec­tion be­tween them.

And if that one is not good enough for you, go here.

Here's a sim­ple di­a­gram:

Simple Network-To-Network VPN Diagram
Simple Network-To-Network VPN Diagram

That is a VPN con­nect­ing Net­works A and B, and there is a "vir­tu­al link" or tun­nel con­nect­ing end­points A and B (the dot­ted ar­c).

Of course, since the tun­nel is a vir­tu­al link, the da­ta is still re­al­ly trans­mit­ted through the re­al links to the In­ter­net. It's just that ap­pli­ca­tions run­ning on the net­works or the end­points be­lieve they are send­ing through the vir­tu­al link.

Now, in or­der to make this more use­ful, the da­ta trans­ferred be­tween the end­points of the VPN is nor­mal­ly en­crypt­ed us­ing some se­cure al­go­rith­m.

What this ar­ti­cle tries to do is ex­plain to you how you can cre­ate one of these "vir­tu­al links" be­tween any two com­put­er­s, us­ing one spe­cif­ic soft­ware pack­age called CIPE.

Nor­mal­ly, when you read about VP­N­s, you are go­ing to run in­to IPSec. IPSec is good. But it is al­so a pain in the ass to se­tup, at least right now, at least in Lin­ux, and at least for me.

So, from now on, I will pre­tend IPSec does­n't ex­ist. For­get about it!

Types of VPNs
There are several types of VPNs:
Network-To-Network
In these, you connect, using the VPN link, two networks. The hosts in those networks can see each other through the VPN link as if they were connected through a regular point-to-point link or any other kind of connection. The hosts need no extra software, because all the hard work is done by the VPN gateways
Network-To-Host
Like Network-To-Network only you have no network on one side
Host-To-Host
Like Network-To-host only without networks ;-)

In oth­er VPN soft­ware, the con­fig­u­ra­tions for each of these is dif­fer­en­t. On CIPE, they are all ex­act­ly the same, ex­cept in the cas­es where you have a net­work be­hind one of the end­points, you need to do some sim­ple rout­ing con­fig­u­ra­tion to al­low all hosts to find it.

So, what can I do with it?

Well, dear read­er, it's a net­work. You can use a VPN to do what a net­work does: send da­ta from A to B.

But, since a VPN usu­al­ly works over a pub­lic net­work, you can for ex­am­ple, use it to get in­to your of­fice's net­work from home, or vicev­er­sa. Or to con­nect two of­fices to each oth­er.

Once you are con­nect­ed, you can share files, chat, do video­con­fer­ence, what­ev­er.

In fac­t, ver­sion 1.5 of CIPE can even do eth­er­net bridg­ing over UD­P. In prac­ti­cal terms, that makes it look like the switch­es in both ends of the VPN are plugged to each oth­er, and all hosts are part of a sin­gle LAN... with some very slow patch­es.

Enough Talk, Let's VPN

Installation

If your dis­tri­bu­tion does­n't in­clude CIPE, or if it in­cludes an old­er ver­sion (lat­est right now is 1.5.4), you need to get the lat­est ver­sion of CIPE from here.

In­stall it fol­low­ing the in­struc­tions (the usu­al ./­con­fig­ure && make && make in­stall should do).

If you are us­ing Red Hat, or oth­er dis­tri­bu­tions that al­ready in­clude CIPE, make sure you unin­stall the dis­tri­bu­tion's ver­sion. Al­so, on Red Hat, you have to re­move the cipcb ker­nel mod­ule that comes with the dis­tri­bu­tion, be­cause it will con­flict with the new ver­sion.

You will see that cipe in­stalls /lib/­mod­ules/2.4.18-14/mis­c/­cipcb.o but the dis­tro may in­clude some­thing like /lib/­mod­ules/2.4.18-14/k­er­nel/­driver­s/ad­don/cipe/­cipcb.o that you need to re­move (or at least move aside ;-)

Digging a Tunnel

For each two end­points you want to con­nec­t, you need to cre­ate a tun­nel. Think of tun­nels as the spe­cif­ic vir­tu­al links you cre­ate be­tween end­points.

You will have to run, on each end­point, a cipe process for each tun­nel that con­nects to that end­point.

For ex­am­ple, in this VP­N:

VPN with more than one tunnel
VPN with more than one tunnel

The end­points A and C have on­ly one tun­nel con­nect­ing to them, and need to run on­ly one CIPE pro­cess, while end­point B has two tun­nels and will have two run two copies of CIPE.

For each copy of CIPE you will run, you will need a sep­a­rate con­fig­u­ra­tion file, and you will have to call the CIPE process with dif­fer­ent op­tion­s.

The first CIPE
You can use as configuration file /etc/cipe/options and need to use no special options.
The second CIPE
Use another configuraion file. For example, /etc/cipe/options2, and call CIPE with option -o /etc/cipe/options2
Third and later CIPE
Like the second one, but change the number. For example, use /etc/cipe/options3 and so on.
Ok, so what do we put into those option files?

Here's an ex­am­ple:

Sample CIPE options file
maxerr=-1
ipaddr=10.0.0.2
ptpaddr=10.0.0.1
me=1.2.3.4:8000
peer=5.6.7.8:8000
key=2fe483867df1e7de3827edd26b193590

What the options mean
maxerr
If there are maxerr transmission errors, the virtual link goes down. Setting it to -1 makes it stay up.
ipaddr
The virtual link is a TCP/IP link, so it needs IP addresses to identify the endpoints. This is the IP address for this endpoint's virtual link.
ptpaddr
Like ipaddr, but it's the IP address of the other endpoint.
me
Remember that, in the end, the data is transmitted through the real link. This is the real IP address of this endpoint, plus a port number. The port number should be different for each copy of CIPE we run in this endpoint. So, in another options file, it should say, for example, me=1.2.3.4:8001
peer
The IP number and port for the other endpoint.
key
The key used to encrypt the data transmitted through the tunnel. Obviously, this means this file should only be readable by root. CIPE refuses to start if that's not the case. You could use anything here, but try to make it hard. The CIPE docs, for example, recommend using the output of ps -auxw|md5sum

You will no­tice that there are op­tions that are re­lat­ed to each oth­er. ipad­dr is re­lat­ed to pt­pad­dr, and me is re­lat­ed to peer.

In the op­tions file in the oth­er end­popin­t, those op­tions are switched:

Sample CIPE options file for the other endpoint
maxerr=-1
ipaddr=10.0.0.1
ptpaddr=10.0.0.2
me=5.6.7.8:8000
peer=1.2.3.4:8000
key=2fe483867df1e7de3827edd26b193590

Al­so, for each tun­nel you cre­ate, the ipad­dr/pt­pad­dr pair must be dif­fer­ent and should not be part of any net­work the end­points are con­nect­ed to. Ba­si­cal­ly that means they can't be valid In­ter­net IP ad­dress­es, and that they must be from pri­vate net­works oth­er than the ones you use.

For ex­am­ple, if your lo­cal net­works use 192.168 pre­fix­es, then choose the vir­tu­al IP ad­dress­es from the 10 or 172.16 pre­fix­es.

And that's it, your VPN tun­nel is con­fig­ured.

Starting CIPE
Simple as running the command ciped-cb ... plus the required -o option as described here. If you want to have CIPE start when your computer boots, just add all the ciped-cb invocations somewhere in the startup scripts. /etc/rc.d/rc.local is usually a good place.
Stopping CIPE

Just kill the ciped-cb process. Or do if­con­fig cipcb0 down.
If you have more than one tun­nel, you need to be care­ful to kill the right pro­cess, or to bring down the right in­ter­face.

Routing

If you have a net­work be­hind a re­mote CIPE end­point and you want it to be reach­able, you need to cre­ate a route, de­scrib­ing how to get there. As­sum­ing the net­work be­hind the re­mote end­point is 192.168.1.0/255.255.255.0, and the vir­tu­al IP for the re­mote end­point is 10.0.0.2, you need to run a com­mand like this when the CIPE link goes up:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.2

That can be done edit­ing the script called /etc/cipe/ip-up and adding what­ev­er com­mands (such as that ex­am­ple above) you want to run when the link goes up.

If you have more than one CIPE tun­nel run­ning, just cre­ate /etc/cipe/ip-up2 and so on, and in the match­ing op­tions file add the op­tion ipup=/etc/cipe/ip-up2.

Important Links

Roberto Alsina / 2006-04-04 16:19:

Comments for this story are here:

http://www.haloscan.com/com...

Used Transmission / 2010-11-24 09:35:

That's the great article! I just pass 'n read it, two thumbs up! ;)

Majid2045 / 2012-01-04 05:53:

جالب و مفید بود.

Contents © 2000-2023 Roberto Alsina