OpenWrt Forum Archive

Topic: CIPE 1.6.0 Package

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi everyone,

I am currently considering to build a CIPE package, based on CIPE 1.6.0. It will be my fist ipkg package ever built. Is anybody interested in it?

I got a binary of CIPE built with a number of manual changes in the configure/make process. It works properly. If required I can try to work out a patch file and a makefile which can build a ipkg package without manual interference.

Greetings,
Stefan

Hi Stefan,

I would be interested. Getting CIPE to work on a wrt54gs is one of my next projects.

Regards,

Peter

Before you decide to use CIPE, read:

http://www.mail-archive.com/cypherpunks … 09553.html
http://diswww.mit.edu/bloom-picayune/crypto/14258
http://diswww.mit.edu/bloom-picayune/crypto/14238
http://www.cs.auckland.ac.nz/~pgut001/p … ux_vpn.txt
                                                                               
http://www.netheaven.com/pmtu.html

Now, these are about version 1.5, and the current version seems to be 1.6, so some issues might be fixed. But you have to wonder, how safe is it to use a VPN protocol that hasn't seen much public (or private) research? Is it really worth the risk?

If you have some problem with IPsec, at least go and use OpenVPN instead of CIPE. Even though OpenVPN is also a non standard, not IETF tunnel mechanism, it at least uses TLS/SSL, which has seen a lot of public scrutiny like IPsec.

Another issue is the path mtu issue. You might run into lots of problems when to layers of IP start to fragment or drop packets, and ICMP's for path MTU discovery aren't reaching the right layer.

Olaf in his CIPE FAQ describes ciphers (AES, Blowfish, 3DES) and then says 'these are secure and so my protocol is secure'. That's a rather misleading statement. Especially because he is mixinger ciphers with algorithms and protocols. He then mentions the existence of DoS vulnerabilities, and other 'theoretical' vulnerabilities.

Frankly, IPsec and TLS/SSL are the two most widely used industry standards. They have been around for a long time, and are continiously shaken by the research community. I would not recommend to use CIPE protocol.

Paul
ps.diclaimer: I am an Openswan (IPsec) developer.

openvpn is a very good package(easy to configure, a must especially for road warrior running XP) except that it depends on openssl which takes a whooping 1.5M flash space.

BTW, when can I see openwan 2.2 package for openwrt ? I have the kernel patch done for nat-t and is just waiting for 2.2(mainly for AES which is faster than 3DES).

I tried OpenVPN and  got it up and running stable. So no issues with the package itself.

Unfortunately I had performance problems with NFS via OpenVPN. I had to reduce the size of NFS read/write buffer to get larger data transfer without blocking. With the smaller buffer size the performance was not great.

Using CIPE the NFS transfer worked with the larger default buffer size. That was the reason to use CIPE.

I use CIPE only for tunneling through a WLAN connetion. So the exposure to the public is limited.

Greetings,
Stefan

Hi everyone,

I am currently considering to build a CIPE package, based on CIPE 1.6.0. It will be my fist ipkg package ever built. Is anybody interested in it?

I got a binary of CIPE built with a number of manual changes in the configure/make process. It works properly. If required I can try to work out a patch file and a makefile which can build a ipkg package without manual interference.

Greetings,
Stefan

Hi Stefan,

Do you have a CIPE 1.6.0 build available? If so, I'm interested in it. If not, I'm going to have a go at it.

I've used CIPE many years now, and have found it be be an excellent lightweight VPN. Is it the last word in security? Maybe so, maybe not. But, for limited resource environments like the WRT, it works very well...

Thanks,
David

Do you have a CIPE 1.6.0 build available? If so, I'm interested in it. If not, I'm going to have a go at it.

Yes, I do have a working CIPE available, but it does not come as a ready to install package. I do have a Makefile and a patch file, which together work with the OpenWRT build chain.

I did not get ready in creating a package out of the compiled binaries. I copied the cipe-cb and the cipcb.o files manually to the WRT.

Send me a private message if you want to get the binaries and/or the files to create them.

Greetings,
Stefan

I have been using openvpn for a while, works great, I still have a wierd issue though, when I pipe ALL the traffic through the vpn link, some sites don't work. The wierd thing is that I couldnt get those same site to work when I played around ithe freeswan, AND they also dont work using a poptop pptpd server. is this a MTU issue? I have searched high and low, but no answer. We want to be able to pipe all of the traffic so we can monitor web useage.

anyone have any ideas?

sample sites that dont work:

slashdot.com
microsoft.com

sample site that do work..
google.com
yahoo.com

I have been using openvpn for a while, works great, I still have a wierd issue though, when I pipe ALL the traffic through the vpn link, some sites don't work. The wierd thing is that I couldnt get those same site to work when I played around ithe freeswan, AND they also dont work using a poptop pptpd server. is this a MTU issue? I have searched high and low, but no answer. We want to be able to pipe all of the traffic so we can monitor web useage.

...

It sounds like your problem is likely PMTU discovery related. A good explanation about this is at: http://www.netheaven.com/pmtu.html  (this URL was listed above). Try some options like "--tun-mtu 1500 --fragment 1300 --mssfix" for openvpn--assuming that you're using a UDP tunnel.

....For recent versions of CIPE, try adding these lines to your options file:

mtu             1500
ignoredf
forcemtu

-David

kb4fxc, that works perfectly. I had looked everywhere for that answer.

thanks!
bob

I have been using openvpn for a while, works great, I still have a wierd issue though, when I pipe ALL the traffic through the vpn link, some sites don't work. The wierd thing is that I couldnt get those same site to work when I played around ithe freeswan, AND they also dont work using a poptop pptpd server. is this a MTU issue? I have searched high and low, but no answer. We want to be able to pipe all of the traffic so we can monitor web useage.

...

It sounds like your problem is likely PMTU discovery related. A good explanation about this is at: http://www.netheaven.com/pmtu.html  (this URL was listed above). Try some options like "--tun-mtu 1500 --fragment 1300 --mssfix" for openvpn--assuming that you're using a UDP tunnel.

....For recent versions of CIPE, try adding these lines to your options file:

mtu             1500
ignoredf
forcemtu

-David

What would be the equivalent setting for pptp ? I have encountered this before using openvpn and cap the MTU solved the problem and it seems to be a generic issue for any of these tunnel protocol.

The discussion might have continued from here.