What is CIPE?

Crypto IP Encapsulation (CIPE)

CIPE is a VPN implementation developed primarily for Linux. CIPE uses encrypted IP packets that are encapsulated, or "wrapped" in packets (UDP) datagrams. A CIPE packets are given a header with destination information and is encrypted using an encryption mechanism CIPE. The packets are then transferred over IP as UDP packets through the virtual network device CIPE (cipcb x) on a carrier network to remote node destination. The figure shows a typical CIPE configuration connecting two Linux-based networks:

A network and a remote client connected by CIPE

This diagram shows a network running CIPE in a firewall (firewall) and a remote client machine acting as the node CIPE. CIPE connection acts as a tunnel through which all data related to the Intranet are routed between remote nodes. All data is encrypted using 128-bit keys generated dynamically and can be compressed for large file transfers or sending across a tunnel X applications to a remote host. CIPE can be configured to communicate between two or more Linux machines with CIPE and has network drivers for Win32-based operating systems.

Why Use CIPE

There are many reasons why using CIPE is a smart move for security and system administrators:

• Red Hat Enterprise Linux ships with CIPE therefore available for all Red Hat Enterprise Linux machines at the tips (eg, firewalls or gateways) to be connected to your Intranet. Red Hat Enterprise Linux also includes encrypted code supported by CIPE in general distribution.
• CIPE supports encryption using either standard encryption algorithms Blowfish or IDEA. Depending on the encryption export regulations in your country, you can use Blowfish (default) to encrypt all CIPE traffic on your Intranet.
• Because CIPE is software based, any old or redundant machine capable of running Red Hat Enterprise Linux can become a CIPE gateway, saving the organization need to purchase dedicated hardware to connect two LAN VPN securely.
• CIPE is actively developed to work in conjunction with iptables, ipchainsbased firewalls and other rules. All that is needed is acceptance couple of incoming CIPE UDP packets to coexist with existing firewall rules.

The CIPE configuration is done through text files, allowing administrators to configure their servers and CIPE clients remotely without the need for heavy graphical tools that would work poorly through the network. CIPE also be configured through the Network Management Tool.

Installing CIPE

Installation of CIPE is equivalent to installing a network interface under Linux. Cipe The RPM package contains configuration files found in / etc / cipe /, CIPE daemon (/ usr / sbin / ciped-cb), network scripts that load the kernel module and enable / disable the CIPE interface (if *-cipcb) and sample configuration files found in / usr/share/doc/cipe- <version> / samples /.

Also available is a detailed page explaining CIPE protocol and various implementation details.

The following guide details a sample configuration involving a client workstation that you want to connect securely to a remote LAN with a CIPE gateway.

The workstation uses dynamic IP addresses from a cable modem connection, while the gateway machine with CIPE uses the 192.168.1.0/24 range. This is what is known as a configuration CIPE "typical". The Figure 6-1 illustrates the typical CIPE configuration.

Installation of CIPE between the client and the server CIPE allows point to point connection using the Internet as the transmission medium WAN traffic.

The client workstation then transfer a file via the Internet to the firewall CIPE, where each packet is labeled with the time, encrypted and will be given the address of the CIPE receptor firewall. The destination firewall in turn reads the information from the header, removes it and sends it to the remote LAN router that is then routed to the destination node. This process is completely transparent to the end user. Most of the transaction takes place between pairs CIPE.

CIPE Server Configuration

CIPE To configure a server, install the RPM package cipe from CD-ROM or Red Hat Enterprise Linux via Red Hat Network.

	IMPORTANT
	If you are using an older version of Red Hat Enterprise Linux and / or have an older version of CIPE, you should upgrade to the latest version.

The next step is to copy the sample configuration files from / usr/share/doc/cipe- version / samples / (where version is the version installed on your system CIPE) to / etc / cipe /. Once copied, you will need to edit the / etc / cipe / options.cipcb x (x is incrementally starting from0, for those who wish to have more than one connection to the server CIPE CIPE) to include their addresses and LAN subnet publicly routable IP address of the firewall. Below is the sample file options included with the RPM Joinin Red Hat Enterprise Linux which, for this example, has been renamed tooptions.cipbcb0:

# Surprise, this file Allows comments (but only on a line by Themselves) # This is probably the minimal set of options That has to be in September # Without a "device" line, the device is picked dynamically # The peer's IP address 6.5.4.3 ptpaddr # Our CIPE device's IP address ipaddr 6.7.8.9 # My UDP address. Note: if you set port 0 here, the system will pick # One and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. I bigred.inka.de: 6789 # ... And the UDP address we connect to. Of course no wildcards here. peer blackforest.inka.de: 6543 # The static key. Keep this file secret! # The key is 128 bits in hexadecimal notation. key xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Ptpaddr output is the remote address of the LAN CIPE. Ipaddr is the IP address of the CIPE workstation. I address is routable public IP address of the client sending UDP packets on the Internet, while peer is routable public IP address CIPE server. Note that the IP address of the client workstation is 0.0.0.0 because it uses a dynamic connection. The client handle CIPE CIPE server connection. The key field (represented by x's, should be secret) is shared static key. This key must be the same for both pairs or otherwise the connection will not be possible. See Section 6.8 for more information on how to generate a shared static key CIPE their machines.

Below is the edited file / etc/cipe/options.cipcb0 will use the client station:

10.0.1.2 ptpaddr ipaddr 10.0.1.1 I 0.0.0.0 peer LAN.EXAMPLE.COM: 6969 123456ourlittlesecret7890shhhh key

This is the file / etc/cipe/options.cipcb0 for CIPE server:

10.0.1.1 ptpaddr ipaddr 10.0.1.2 I LAN.EXAMPLE.COM: 6969 peer 0.0.0.0 123456ourlittlesecret7890shhhh key

Configuring Clients for CIPE

After successfully setting up and testing the CIPE server, you can develop the connection on the client machine.

CIPE Customers should be able to connect and disconnect from the CIPE connection in an automated way. In addition, CIPE has built-in mechanisms to customize settings for individual applications. For example, a remote employee CIPE device can connect to the LAN by typing:

/ Sbin / ifup cipcb0

The device should show up automatically, firewall rules and router information should also be configured with the connection. The remote employee should be able to terminate the connection with the following:

/ Sbin / ifdown cipcb0

The client configuration requires the creation of localized scripts are executed after the device is loaded. The same device configuration can be done locally through a user-created file called / etc/sysconfig/network-scripts/ifcfg-cipcb0. This file contains parameters that determine whether the CIPE connection occurs at boot time, what is the name of the CIPE device, among other things. The following is the ifcfg-cipcb0 to a remote client connecting to a server CIPE:

DEVICE = cipcb0 ONBOOT = yes BOOTPROTO = none USERCTL = no # This is the device for Which We add a host route to our CIPE peer through. # You May hard code This, but if left blank, we will try to guess from # The routing table in the / etc / cipe / ip-up.local file. PEERROUTEDEV = # We need to use internal DNS when connected via cipe. DNS = 192.168.1.254

The CIPE device is called cipcb0. The CIPE device is activated at boot time (configured through the ONBOOT field) and not use a boot protocol (eg DHCP) to receive an IP address for the device. PEERROUTEDEV field determines the name of CIPE server device that connects to the customer. If no device is specified in this field will be determined one after the device has been loaded.

If the internal networks behind a firewall, you need to specify rules that allow CIPE interface on the client machine, send and receive UDP packets. SeeChapter 7 for more information on configuring a firewall. For this example configuration, iptables rules are implemented.

	NOTE
	Clients must be configured so that localized parameters are placed in a file created by the called / etc / cipe / ip-up.local. Local parameters should be reversed when the session CIPE is turned off using / etc / cipe / ip-down.local.

The firewall should be configured on client machines to accept encapsulated CIPE UDP packets. The rules can vary widely, but basically it requires the acceptance of UDP packets in order to establish connectivity CIPE. The following iptables rules allow UDP broadcasts CIPE client on the remote machine connecting to the LAN, the final rules incorporate IP masquerading to allow the remote client to communicate to the LAN and the Internet.

/ Sbin / modprobe iptables / Sbin / service iptables stop / Sbin / iptables-P INPUT DROP / Sbin / iptables-F INPUT / Sbin / iptables-A INPUT-j ACCEPT-p udp-s 10.0.1.1 / Sbin / iptables-A INPUT-j ACCEPT-i cipcb0 / Sbin / iptables-A INPUT-j ACCEPT-i lo / Sbin / iptables-t nat-A POSTROUTING-s 192.168.1.0/24-o eth0-j MASQUERADE

Add rules to the client machine to access nodes behind the CIPE connection as if they were on the local network. This can be done by running the routecommand. For our example, the client workstation will need the following network path:

route add-net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.2

Below is the final script / etc / cipe / ip-up.local for the client workstation:

# / Bin / bash-v if [-f / etc/sysconfig/network-scripts/ifcfg- $ 1], then . / Etc/sysconfig/network-scripts/ifcfg- $ 1 else cat << EOT | logger Can not find config file ifcfg-$ 1. Exiting. EOF exit 1 fi if [-n $ {PEERROUTEDEV}], then cat << EOT | logger Can not find a default route to send packets cipe through! Punting and hoping for the best. EOT # Use routing table to determine peer gateway export PEERROUTEDEV = `/ sbin / route-n | grep ^ 0.0.0.0 | head-n 1 \ | Awk '{print $ NF}' ` fi # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Add The routes for the remote local area network # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # route add-host 10.0.1.2 dev $ PEERROUTEDEV route add-net 192.168.1.0 netmask 255.255.255.0 dev $ 1 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # IP TABLES Rules to restrict traffic # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # / Sbin / modprobe iptables / Sbin / service iptables stop / Sbin / iptables-P INPUT DROP / Sbin / iptables-F INPUT / Sbin / iptables-A INPUT-j ACCEPT-p udp-s 10.0.1.2 / Sbin / iptables-A INPUT-j ACCEPT-i $ 1 / Sbin / iptables-A INPUT-j ACCEPT-i lo / Sbin / iptables-t nat-A POSTROUTING-s 192.168.1.0/24-o eth0-j MASQUERADE

Customizing CIPE

CIPE can be configured in various ways, from passing parameters as arguments to the command line when starting ciped, to generate a new set of static shared keys. This allows a security administrator the flexibility to customize CIPE sessions to ensure safety as well as increased productivity.

	NOTE
	The most common parameters should be placed in the / etc / cipe / options.cipcb xto be automatically loaded at runtime. Note that any parameters passed on the command line and options ignores the respective parameters in the configuration file / etc / cipe / options.cipcb x.

The Table 6-1 lists some of the command line parameters when running the daemon ciped.

 

PARAMETERS	DESCRIPTION
arg	Pass arguments to the start script / etc / cipe / ip-up
CTTL	Sets the value of the carrier life time (Carrier Time To Live, TTL), the recommended value is 64
debug	Boolean value to enable debugging
device	Appointing the CIPE device
ipaddr	Publicly routable IP address of the machine CIPE
ipdown	Select an alternate ip-down script to script default / etc / cipe / ip-down
ipup	Select an alternate ip-up script to script default / etc / cipe / ip-up
key	Specifies a shared static key for CIPE connection
MAXERR	Number of errors allowed before the CIPE daemon leaves
me	Address UDP CIPE machine
mtu	Sets the maximum transfer unit of the device
nokey	Do not use encryption
peer	CIPE UDP address pair
Ping	Sets the keepalive ping specific interval CIPE (not ICMP)
socks	IP address and port number of the SOCKS server to proxy connections
Tokey	Sets the lifetime of the key dynamically, default is 10 minutes (600 seconds)
tokxc	Timeout value (timeout) for key exchange, the default is 10 seconds
tokxts	Timeout value to exchange timestamps shared keys, default is 0 (no timestamp)
toping	Timeout value for keepalive pings, default is 0

Table 6-1. Parameters CIPE

CIPE keys Administration

As previously mentioned, incorporates a combination CIPE secure encryptionkeys and static linked traffic to create a secure tunnel over carrier network such as the Internet. Using static link keys provides a common reference point for two CIPE networks to pass information securely. Therefore, it is imperative that both gateways CIPE network share exactly the same key, or else CIPE communication is not possible.
To generate keys CIPE is required to know which type of keys are supported.Random alphanumeric generators do not work. Static keys must be 32 strings of 128 bits. This can be created by running the following command, which uses odto create a hexadecimal key using the random number device / dev / random.

od-N 16 / dev / random-t x4 | awk '{print $ 2 $ 3 $ 4 $ 5}'

Place output in the file / etc/cipe/options.cipcb0 for all servers and clients CIPE.

Source: http://web.mit.edu/rhel-doc/3/rhel-sg-es-3/s1-vpn-cipe.html