Crypto IP Encapsulation for Virtual Private Networks

Red Hat currently still supports the use of Crypto IP Encapsulation (CIPE), an alternative to IPsec for implementing Virtual Private Networks. You use the Internet Configuration Wizard to create a CIPE VPN connection, selecting the CIPE entry. The Configure Tunnel screen will then display entries for configuring your connection. For an initial connection, the first CIPE device, cipcb0, will be selected. You can then select your tunnel through device, a network device like an Ethernet connection. If you select server mode, then any device can be used for the CIPE connection. For the port, 7777 is the default, although you can select a particular port if you wish. You can then select the virtual local and remote addresses and generate a secret key.

Essentially, CIPE sets up a peer-to-peer encrypted connection between two computers. Both need to be running CIPE. One will operate as the server, usually the first to be configured, and the second as a client. The server will generate a secret key used for encryption, which will be transmitted to the client. The client, when it connects, will provide a remote peer address and port. The server will designate the Remote Peer Address entry as Server mode, letting the address and the Peer port to be automatically determined when the client connects. The port used by both systems is usually 7777. Transmissions are sent as encrypted UCP packets. Be sure also that you have opened your firewall to allow transmissions on the designated VPN port, 7777.

Each computer will have its own local IP address by which it will be identified. These can be any of the private IP addresses reserved for local addresses, normally starting at 192.168, for example, 192.168.10.1 and 192.168.10.2 (see Chapter 38). If you are already operating on a local network using these addresses, make sure you are not using a duplicate of one already in use. For that reason you could designate them as a separate sub-network, as used in this example, using 10 for the subnet, instead of 0, 192.168.10.1. The private IP addresses you want to use for your VPN are to be entered in the Remote and Local Virtual Address entries, local for the your computer and remote for the other computer.

In a window below the entries, the corresponding entries for the client computer are listed. These are usually the reverse of your own entries. Actual configuration information will be placed in the /etc/sysconfig/network-scripts directory, in the device file for the CIPE connection, like ifcfg-cipcb0. The actual remote IP address and port of the remote computer will be listed in the PEER entry, and its VPN address in the PTRADDR entry. The remote computer will have its own ifcfg-cipcb0 file listing your computer's actual IP address in its PEER entry, and your VPM address in the PTRADDR entry.