Red Hat Enterprise Linux 3: Security Guide
PrevChapter 6. Virtual Private NetworksNext

6.5. CIPE Server Configuration

To setup the CIPE server, install the cipe RPM package from the Red Hat Enterprise Linux CD-ROM or via Red Hat Network.

ImportantImportant
 

If you are using an older version of Red Hat Enterprise Linux and/or have an older version of CIPE, you should upgrade to the latest version.

Next, copy the sample configuration files from /usr/share/doc/cipe-version/samples/ (where version is the version of CIPE installed on your system) to /etc/cipe/. Once they are copied, you will need to edit the /etc/cipe/options.cipcbx (x is incremental starting from 0, for those who want to have more than one CIPE connection on the CIPE server) to include your LAN subnet addresses and publicly routable firewall IP addresses. The following is the example options file included with the Red Hat Enterprise Linux cipe RPM which, for this example, is renamed to options.cipbcb0: 

# Surprise, this file allows comments (but only on a line by themselves)
# This is probably the minimal set of options that has to be set
# Without a "device" line, the device is picked dynamically

# the peer's IP address
ptpaddr         6.5.4.3

# our CIPE device's IP address
ipaddr          6.7.8.9

# my UDP address. Note: if you set port 0 here, the system will pick
# one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0.
me              bigred.inka.de:6789

# ...and the UDP address we connect to. Of course no wildcards here.
peer            blackforest.inka.de:6543

# The static key. Keep this file secret!
# The key is 128 bits in hexadecimal notation.
key             xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The ptpaddr is the remote LAN's CIPE address. The ipaddr is the workstation's CIPE IP address. The me address is the client's publicly routable IP address that sends the UDP packets over the Internet, while peer is the publicly routable IP address of CIPE server. Note that the client workstation's IP address is 0.0.0.0 because it uses a dynamic connection. The CIPE client handles the connection to the host CIPE server. The key field (represented by x's; the key should be secret) is the shared static key. This key must be the same for both peers or connection is not possible. Refer to Section 6.8 CIPE Key Management for information on how to generate a shared static key for your CIPE machines.

Here is the edited /etc/cipe/options.cipcb0 that the client workstation will use: 

ptpaddr        10.0.1.2
ipaddr         10.0.1.1
me             0.0.0.0
peer           LAN.EXAMPLE.COM:6969
key            123456ourlittlesecret7890shhhh

Here is the /etc/cipe/options.cipcb0 file for the CIPE server: 

ptpaddr        10.0.1.1
ipaddr         10.0.1.2
me             LAN.EXAMPLE.COM:6969
peer           0.0.0.0
key            123456ourlittlesecret7890shhhh
PrevHomeNext
CIPE InstallationUpConfiguring Clients for CIPE