<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hello,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> I am setting up a VPN
gateway and I am trying to assign to the connection clients an IP from the
internal net ( which is a public IP ) from a DHCP address pool. </FONT></DIV>
<DIV><FONT face=Arial size=2>I have setup the dhcpd server to listen on lo and
the dhcrelay to relay ipsec0 to lo . I can see the DHCPDISCOVER packets and the
DHCPOFFEr packets, but there is no DHCPREQUEST / DHCPACK packets following.
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> The DHCP server is allocating
IPs in the range 131.123.35.155-160 / 255.255.255.0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> I am using SSH Sentinel 1.3.2 ,
openswan 2.1.2.rc3 and certificates.</FONT></DIV>
<DIV><FONT face=Arial size=2> One more thing : If I don't
specify that I want a DHCP address , I can create the tunnel ...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is my ipsec.conf</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># /etc/ipsec.conf - FreeS/WAN IPsec configuration
file<BR># RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp
$</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># This file:
/usr/local/share/doc/freeswan/ipsec.conf-sample<BR>#<BR>#
Manual: ipsec.conf.5<BR>#<BR># Help: <BR># <A
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html</A><BR>#
<A
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html</A><BR>#
<A
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html</A><BR>#<BR>#
Policy groups are enabled by default. See:<BR># <A
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html</A><BR>#<BR>#
Examples:<BR># <A
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples</A>
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2>
<DIV><BR>version 2.0 # conforms to second version of
ipsec.conf specification</DIV>
<DIV> </DIV>
<DIV># basic configuration<BR>config
setup<BR> # Debug-logging
controls: "none" for (almost) none, "all" for
lots.<BR>
klipsdebug=none<BR>
plutodebug=none<BR>
interfaces=%defaultroute<BR>
uniqueids=yes<BR>
strictcrlpolicy=yes<BR>
virtual_private=%v4:192.168.0.0/16<BR>
#nat_traversal=yes</DIV>
<DIV> </DIV>
<DIV>conn %default<BR>
keyingtries=3<BR>
authby=rsasig<BR>
keyexchange=ike<BR>
ikelifetime=240m<BR>
keylife=60m<BR>
pfs=yes<BR>
compress=no<BR>
disablearrivalcheck=no<BR>
left=%defaultroute</DIV>
<DIV>
leftcert=ipsec_gateway.pem<BR>
right=%any<BR>
rightrsasigkey=%cert<BR>
auto=ignore</DIV>
<DIV> </DIV>
<DIV># Add connections here.<BR></DIV>
<DIV># DHCP incoming connections<BR>conn
dhcp<BR>
type=tunnel<BR> rightid="C=US,
ST=Ohio, L=Kent, O=KSU, OU=Computer Science, <A
href="mailto:CN=radu@cs.kent.edu">CN=radu@cs.kent.edu</A>, <A
href="mailto:E=radu@cs.kent.edu">E=radu@cs.kent.edu</A>"<BR>
right=%any<BR>
rekey=no<BR>
keylife=2m<BR>
rekeymargin=30s<BR>
leftsubnet=0.0.0.0/0<BR>
rightsubnet=vhost:%priv<BR>
leftprotoport=udp/bootps<BR>
rightprotoport=udp/bootpc<BR>
pfs=no<BR> auto=add<BR>#<BR># From lab
- VPN connection<BR>conn test<BR>
type=tunnel<BR> rightid="C=US,
ST=Ohio, L=Kent, O=KSU, OU=Computer Science, <A
href="mailto:CN=radu@cs.kent.edu">CN=radu@cs.kent.edu</A>, <A
href="mailto:E=radu@cs.kent.edu">E=radu@cs.kent.edu</A>"<BR>
leftsubnet=0.0.0.0/0<BR>
leftupdown=/usr/local/lib/ipsec/_updown_x509<BR>
rightsubnetwithin=131.123.35.0/24<BR>
auto=add</DIV>
<DIV> </DIV>
<DIV># RoadWarrior VPN connection<BR>conn
roadwarrior<BR>
type=tunnel<BR> rightid="C=US,
ST=Ohio, L=Kent, O=KSU, OU=Computer Science, <A
href="mailto:CN=radu@cs.kent.edu">CN=radu@cs.kent.edu</A>, <A
href="mailto:E=radu@cs.kent.edu">E=radu@cs.kent.edu</A>"<BR>
leftsubnet=0.0.0.0/0<BR>
leftupdown="/usr/local/lib/ipsec/_updown_x509
up-client"<BR>
rightsubnet=vhost:%priv<BR>
rightsubnetwithin=131.123.35.0/24<BR>
pfs=no<BR> auto=add</DIV>
<DIV> </DIV>
<DIV># disabling OE connections<BR>conn
packetdefault<BR> auto=ignore</DIV>
<DIV>conn block<BR>
auto=ignore<BR>conn clear<BR>
auto=ignore<BR>conn
clear-or-private<BR>
auto=ignore<BR>conn private<BR>
auto=ignore<BR>conn
private-or-clear<BR>
auto=ignore<BR></DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV> </DIV>
<DIV>Radu</DIV></FONT></BODY></HTML>