Problem: I know nothing about Cipe exept for a short read trough at their homepage.
It's not a super difficult system, basically, it creates its own interface cipcbx on your external ethernet connection eth1 usually.. this connection has its own IP and subnet (192.168.190.x in my case). These interfaces send and recieve UDP packets with the encrypted data destined for the internal networks. They're both listening on the external interfaces on port 6060..
Obviously it's not quite that simple, but that's the basic gist of things..
Possily not so smart to answer a question with just a new question, but the thing is that configuring Linux firewalls is, as I see it, generally a question of understanding the nature of the trafic that floats trough it. I think when the question "how is the nature of the trafic flow without a firewall" than it is allways possible to desingn and verify a firewall that will let that trafic trough.
Without a firewall, the traffic would originate on the internal machine, a route would tell it to head out through the cipcb0 interface, where it's encapsulated and sent in a UDP packet to port 6060 on the other external interface, where the cipd is listening, and will recieve the UDP packet and unpack it and send it on to it's final internal destination.
First off all: What do they speakt about, those two sme servers ? What kind of trafick is floating to and from via the tunnel ?
Apart from the cipe traffic, and ssh, there is no permanent connection between the two. The tunnel usually has fairly unimportant traffic, the client mainly uses it to send print jobs to printers in their other building (it's a couple of kilometers away).
Second: How does it reaaly work ? Is it a some kind of klient server solution where the one sme server is the server and the other is the client ? (Or is it an arrangement where they both are equal, or does it work in a way that both are clients and servers ?)
As far as I can tell, both sides can initiate the connection by doing a connect, then a key exchange. Either side can be a client or server.
All the ip adresses in the description above are ip's in the internal ip range. Should this encrypted tunnel run trough a lan environment only, or should it also pass via internet ?
The addresses are internal because that's where my problems start, the connections between the two work, the traffic is arriving from the internet without an issue, it's just being stopped before it can be unpacked by the cipd (which would be on the inside of the eth1 interface, if I was to draw a diagram..)
Are the two sme servers set up as gateways or as standallone servers ? If it is gateway servers why do the two gateways have internal ip's on each side of the gateway ?
They're gateways, with routers that make the external connections, which is why I'm not using freeSwan, as it has real problems with double NATting, cipe doesn't really care.
By the way if you don't have it installed allready suggest you download and install RedHat 7.3 iptraf (trafic monitor) and nmap (Portscanner.)
I've done a bit of tcpdumping on the cipe and external interface, and I've done a netstat on both sides, which show port 6060 open and established on both sides, my problem is that the firewall grabs the incoming UDP packets and discards them.. I was thinking about having iptables be a bit more verbose when discarding the packets, but I honestly don't know how.
BTW, thanks for the reply, sorry I didn't reply earlier, I've been rather busy
4 Replies
1225 Views