Crypto IP Encapsulation (CIPE)
CIPE is a VPN implementation developed primarily for Linux. CIPE
uses encrypted IP packets that are encapsulated, or "wrapped", in
datagram (UDP) packets. Packets are given destination header information
and are encrypted using the default CIPE encryption mechanism, then
transferred over IP as UDP packets via its own virtual device
(cipcbx) over a carrier network (such as the
Internet) to an intended remote node. The following figure shows a
typical CIPE setup connecting two Linux-based networks:
The diagram shows a network running CIPE on the firewall, and a remote
client machine acting as a CIPE-enabled node. The CIPE connection acts
as a tunnel through which all Intranet-bound data is routed between
remote nodes. All data is encrypted using dynamically-generated 128-bit
keys, and can be further compressed for large file transfers or to
tunnel X applications to a remote host. CIPE can be configured for
communication between two or more CIPE-enabled Linux machines and also
has network drivers for Win32-based operating systems.
Why Use CIPE?
There are several reasons why CIPE would be a smart choice for
security and systems administrators:
Red Hat Linux ships with CIPE, so it is available to all Red Hat Linux edge
machines (for example, firewalls or gateways) that you wish to
connect to your Intranet. Red Hat Linux also includes CIPE-supported
encryption ciphers in its general distribution.
CIPE supports encryption using either of the standard Blowfish
or IDEA encryption algorithms. Depending on encryption export
regulations in your country, you may use the default (Blowfish) to
encrypt all CIPE traffic on your Intranet.
Because CIPE is software based, any older machine that is able
to run Red Hat Linux can become a CIPE gateway, saving an organization from
having to purchase expensive dedicated VPN hardware simply to
connect two LANs securely.
CIPE is actively developed to work in conjunction with IP
Tables, IP Chains, and other rules-based firewalls. Simple peer
acceptance of incoming CIPE UDP packets is all that is needed to
coexist with existing firewall rules.
Administrators can configure CIPE through text files.
CIPE Installation
The installation of CIPE is equivalent to installing a new network
interface under Linux. The CIPE RPM contains configuration files found
in /etc/cipe/, the CIPE daemon
(/usr/sbin/ciped-cb), network scripts that load
the kernel module and activates/deactivates the CIPE interface
(if*-cipcb), and sample configuration files found
in
/usr/share/doc/cipe-<version>/samples/. There
is also a detailed texinfo page explaining the CIPE protocol.
This guide details a sample configuration involving a workstation
client that wishes to connect securely to a remote LAN with a CIPE
gateway. The workstation uses a dynamic IP address via cable modem
connection, while the CIPE-enabled gateway machine employs the
192.168.1.0/24 range. This is what is known as a "typical" CIPE
configuration. The following diagram illustrates the network
architecture for this CIPE configuration:
Installing CIPE between the client and the CIPE server will allow
for a secured peer-to-peer connection using the Internet as a medium
for transmission of WAN traffic. The client workstation will then
transfer a file through the Internet to the CIPE-enabled firewall,
where each packet will be timestamped, encrypted, and given the peer
address of the receiving CIPE-enabled firewall. The destination
firewall then reads the header information, strips it, and sends it
through to the remote LAN router to be then routed to its destination
node. This process is seamless and completely transparent to end
users. The majority of the transaction is done between the
CIPE-enabled peers.
CIPE Server Configuration
To setup the CIPE server, simply install the RPM package from the
Red Hat Linux disc or via Red Hat Network.
 | Important |
|---|
| | If you are using an older version of
Red Hat Linux and/or have an older version of CIPE, you should upgrade to the
latest version.
|
The next step is to copy the sample configuration files from
/usr/share/doc/cipe-version/samples
(where version is the version of CIPE
installed on your system) to /etc/cipe/. Once
they are copied, you will need to edit the
/etc/cipe/options.cipcbx
(x is incremental starting from
0, for those who wish to have more than one
CIPE connection on the CIPE server) file to include your LAN subnet
addresses and publicly routable firewall IP addresses. The following
is the example options file included with the
Red Hat Linux CIPE RPM which, for this example, is renamed to
options.cibcb0:
# Surprise, this file allows comments (but only on a line by themselves)
# This is probably the minimal set of options that has to be set
# Without a "device" line, the device is picked dynamically
# the peer's IP address
ptpaddr 6.5.4.3
# our CIPE device's IP address
ipaddr 6.7.8.9
# my UDP address. Note: if you set port 0 here, the system will pick
# one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0.
me bigred.inka.de:6789
# ...and the UDP address we connect to. Of course no wildcards here.
peer blackforest.inka.de:6543
# The static key. Keep this file secret!
# The key is 128 bits in hexadecimal notation.
key xxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
The ptpaddr is the remote LAN's
CIPE address. The ipaddr is the
workstation's CIPE IP address. The me
address is the client's publicly routable IP address that sends the
UDP packets over the Internet, while
peer is the publicly routable IP
address of CIPE server. Note that the client workstation's IP address
is 0.0.0.0 because it uses a dynamic connection. The CIPE client will
handle the connection to the host CIPE server. The
key field (represented by x's; your
key should be secret) is the shared static key. This key
must be the same for both peers or connection
will not be possible. See the Section called CIPE Key Management for
information on how to generate a shared static key for your CIPE
machines.
Here is the edited /etc/cipe/options.cipcb0
that the client workstation will use:
ptpaddr 10.0.1.2
ipaddr 10.0.1.1
me 0.0.0.0
peer LAN.EXAMPLE.COM:6969
key 123456ourlittlesecret7890shhhh |
Here is the /etc/cipe/options.cipcb0 file for
the CIPE server:
ptpaddr 10.0.1.1
ipaddr 10.0.1.2
me LAN.EXAMPLE.COM:6969
peer 0.0.0.0
key 123456ourlittlesecret7890shhhh |
Configuring Clients for CIPE
After successfully configuring the CIPE server and testing for
functionality, you can now deploy the connection on the client
machine.
The CIPE client should be able to connect and disconnect the CIPE
connection in an automated way. Therefore, CIPE contains built-in
mechanisms to customize settings for individual uses. For example, a
remote employee can connect to the CIPE device on the LAN by typing
the following:
The device should automatically come up, and any firewall rules
and routing information should be executed along with the
connection. The remote employee should be able to terminate the
connection with the following:
Configuring clients requires the creation of localized scripts
that are run after the device has loaded. The device configuration
itself can be configured locally via a user-created file called
/etc/sysconfig/network-scripts/ifcfg-cipcb0.
This file contains pieces of parameters that determine whether the
CIPE connection occurs at boot-time and what the name of the CIPE
device is, among other things. The following is the
ifcfg-cipcb0 file for a remote client connecting
to the LAN A CIPE server:
# These first four should be self explanatory. Change as required.
DEVICE=cipcb0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
# This is the device for which we add a host route to our CIPE peer through.
# You may hard code this, but if left blank, we punt and try to guess from
# the routing table in the /etc/cipe/ip-up.local file.
PEERROUTEDEV=
# We need to use internal DNS when connected via cipe. These may change,
# but for now, they are correct as of 20010604.
DNS=192.168.1.254 |
The CIPE device is named
cipcb0. The CIPE device will be
loaded at boot-time (configured via the
ONBOOT field) and will not use a boot
protocol (for example, DHCP) to receive an IP address for the device.
The PEERROUTEDEV field determines the
CIPE server device name that the client will be connecting to. If no
device is specified in this field, one will be determined after the
device has been loaded.
If your internal networks are behind a firewall (always a good
policy), you need to set rules to allow the CIPE interface on the
client machine to send and receive UDP packets. Refer to
Chapter 7 for information on configuring a firewall for
Red Hat Linux. For our example, IP tables rules are implemented.
 | Note |
|---|
| | Clients should be configured such that all localized parameters
are placed in a user-created file called
/etc/cipe/ip-up.local. The local parameters
should be reverted when the CIPE session is shut down using
/etc/cipe/ip-down.local.
|
Firewalls should be configured on client machines to accept the
CIPE UDP encapsulated packets. Rules may vary widely, but the basic
acceptance of UDP packets is required for CIPE connectivity. The
following IP tables rules allow UDP packets for the CIPE connection
for the remote client connecting to the LAN; the final rule adds IP
Masquerading to allow the remote client to communicate to the LAN and
the Internet:
/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT REJECT
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.1
/sbin/iptables -A INPUT -j ACCEPT -i cipcb0
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE |
You must also add routing rules to the client machine to access
the nodes behind the CIPE connection as if they were on the local
network. This can be done by running the route
command. For our example, the client workstation would need to add the
following network route:
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.2 |
The following shows the final /etc/cipe/ip-up.local
script for the client workstation:
#!/bin/bash -v
if [ -f /etc/sysconfig/network-scripts/ifcfg-$1 ] ; then
. /etc/sysconfig/network-scripts/ifcfg-$1
else
cat <<EOT | logger
Cannot find config file ifcfg-$1. Exiting.
EOF
exit 1
fi
if [ -n ${PEERROUTEDEV} ]; then
cat <<EOT | logger
Cannot find a default route to send cipe packets through!
Punting and hoping for the best.
EOT
# Use routing table to determine peer gateway
export PEERROUTEDEV=`/sbin/route -n | grep ^0.0.0.0 | head -n 1 \
| awk '{ print $NF }'`
fi
####################################################
# Add The routes for the remote local area network #
####################################################
route add -host 10.0.1.2 dev $PEERROUTEDEV
route add -net 192.168.1.0 netmask 255.255.255.0 dev $1
####################################################
# IP TABLES Rules to restrict traffic #
####################################################
/sbin/modprobe iptables
/sbin/service iptables stop
/sbin/iptables -P INPUT REJECT
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -j ACCEPT -p udp -s 10.0.1.2
/sbin/iptables -A INPUT -j ACCEPT -i $1
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE |
Customizing CIPE
CIPE can be configured in numerous ways, from passing parameters
as command-line arguments when starting ciped to
generating new shared static keys. This allows a security
administrator the flexibility to customize CIPE sessions to ensure
security as well as increase productivity. The following chart
details some of the command-line parameters when running
ciped.
| Note |
|---|
| | The most common parameters should be placed in the
/etc/cipe/options.cipcbx
file for automatic loading at runtime. Be aware that any parameters
passed at the command-line as options will
override respective parameters set in the
/etc/cipe/options.cipcbx
configuration file.
|
Table 6-1. CIPE Parameters
| Parameter | Description |
|---|
| arg | Passes arguments to the
/etc/cipe/ip-up initialization script |
| cttl | Sets the Carrier Time To Live value; recommended value is 64 |
| debug | Boolean value to enable debugging |
| device | Names the cipe device |
| ipaddr | Publicly-routable IP address of the CIPE machine |
| ipdown | Choose an alternate ip-down script than the default /etc/cipe/ip-down |
| ipup | Choose an alternate ip-up script than the default /etc/cipe/ip-down |
| key | Specify a shared static key for CIPE connection |
| maxerr | Number of errors allowable before the CIPE daemon quits |
| me | UDP address of the CIPE machine |
| mtu | Set the device maximum transfer unit |
| nokey | Do not use encryption |
| peer | The peer's CIPE UDP address |
| ping | Set CIPE-specific (non-ICMP) keepalive ping interval |
| socks | IP address and port number of the SOCKS server for proxy connections |
| tokey | Set dynamic key lifetime; default is
10 minutes (600 seconds) |
| tokxc | Timeout value for shared key exchange; default is 10 seconds |
| tokxts | Shared key exchange timestamp timeout value; default is
0 (no timestamps) |
| toping | Timeout value for keepalive pings; default is 0 |
CIPE Key Management
As previously mentioned, CIPE incorporates a secure combination of
static link keys and encrypted traffic to create a secure tunnel over
carrier networks such as the Internet. The use of static,
link keys provides a common point of reference
for two CIPE-enabled networks to pass information securely. Therefore,
it is imperative that both CIPE-enabled network gateways share the
exact same key, or CIPE communication will not be
possible.
Generating CIPE Keys
Generating CIPE keys requires knowledge of what kind of keys are
compatible. Random alphanumeric generators do not work. Static keys
must be 128-bit, 32-character strings. These can be created by piping
an arbitrary file or outputted process through the
md5sum command. For example:
Place this key in the /etc/cipe/options.cipcb0
file for all CIPE servers and clients.
