<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hello,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>&nbsp;&nbsp;&nbsp; I am setting&nbsp;up&nbsp;a VPN 
gateway and I am trying to assign to the connection clients an IP from the 
internal net ( which is a public IP ) from a DHCP address pool. </FONT></DIV>
<DIV><FONT face=Arial size=2>I have setup the dhcpd server to listen on lo and 
the dhcrelay to relay ipsec0 to lo . I can see the DHCPDISCOVER packets and the 
DHCPOFFEr packets, but there is no DHCPREQUEST / DHCPACK packets following. 
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>&nbsp;&nbsp;&nbsp; The DHCP server is allocating 
IPs in the range 131.123.35.155-160 / 255.255.255.0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>&nbsp;&nbsp;&nbsp; I am using SSH Sentinel 1.3.2 , 
openswan 2.1.2.rc3 and certificates.</FONT></DIV>
<DIV><FONT face=Arial size=2>&nbsp;&nbsp;&nbsp; One more thing : If I don't 
specify that I want a DHCP address , I can create the tunnel ...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Here is my ipsec.conf</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2># /etc/ipsec.conf - FreeS/WAN IPsec configuration 
file<BR># RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp 
$</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2># This file:&nbsp; 
/usr/local/share/doc/freeswan/ipsec.conf-sample<BR>#<BR># 
Manual:&nbsp;&nbsp;&nbsp;&nbsp; ipsec.conf.5<BR>#<BR># Help: <BR># <A 
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html</A><BR># 
<A 
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html</A><BR># 
<A 
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html</A><BR>#<BR># 
Policy groups are enabled by default. See:<BR># <A 
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html</A><BR>#<BR># 
Examples:<BR># <A 
href="http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples">http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples</A>&nbsp;&nbsp; 
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV><FONT face=Arial size=2>
<DIV><BR>version 2.0&nbsp;&nbsp;&nbsp;&nbsp; # conforms to second version of 
ipsec.conf specification</DIV>
<DIV>&nbsp;</DIV>
<DIV># basic configuration<BR>config 
setup<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # Debug-logging 
controls:&nbsp; "none" for (almost) none, "all" for 
lots.<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
klipsdebug=none<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
plutodebug=none<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
interfaces=%defaultroute<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
uniqueids=yes<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
strictcrlpolicy=yes<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
virtual_private=%v4:192.168.0.0/16<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
#nat_traversal=yes</DIV>
<DIV>&nbsp;</DIV>
<DIV>conn %default<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
keyingtries=3<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
authby=rsasig<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
keyexchange=ike<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
ikelifetime=240m<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
keylife=60m<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
pfs=yes<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
compress=no<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
disablearrivalcheck=no<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
left=%defaultroute</DIV>
<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
leftcert=ipsec_gateway.pem<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
right=%any<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rightrsasigkey=%cert<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
auto=ignore</DIV>
<DIV>&nbsp;</DIV>
<DIV># Add connections here.<BR></DIV>
<DIV># DHCP incoming connections<BR>conn 
dhcp<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
type=tunnel<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightid="C=US, 
ST=Ohio, L=Kent, O=KSU, OU=Computer Science, <A 
href="mailto:CN=radu@cs.kent.edu">CN=radu@cs.kent.edu</A>, <A 
href="mailto:E=radu@cs.kent.edu">E=radu@cs.kent.edu</A>"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
right=%any<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rekey=no<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
keylife=2m<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rekeymargin=30s<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
leftsubnet=0.0.0.0/0<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rightsubnet=vhost:%priv<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
leftprotoport=udp/bootps<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rightprotoport=udp/bootpc<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
pfs=no<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=add<BR>#<BR># From lab 
- VPN connection<BR>conn test<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
type=tunnel<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightid="C=US, 
ST=Ohio, L=Kent, O=KSU, OU=Computer Science, <A 
href="mailto:CN=radu@cs.kent.edu">CN=radu@cs.kent.edu</A>, <A 
href="mailto:E=radu@cs.kent.edu">E=radu@cs.kent.edu</A>"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
leftsubnet=0.0.0.0/0<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
leftupdown=/usr/local/lib/ipsec/_updown_x509<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rightsubnetwithin=131.123.35.0/24<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
auto=add</DIV>
<DIV>&nbsp;</DIV>
<DIV># RoadWarrior VPN connection<BR>conn 
roadwarrior<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
type=tunnel<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightid="C=US, 
ST=Ohio, L=Kent, O=KSU, OU=Computer Science, <A 
href="mailto:CN=radu@cs.kent.edu">CN=radu@cs.kent.edu</A>, <A 
href="mailto:E=radu@cs.kent.edu">E=radu@cs.kent.edu</A>"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
leftsubnet=0.0.0.0/0<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
leftupdown="/usr/local/lib/ipsec/_updown_x509 
up-client"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rightsubnet=vhost:%priv<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
rightsubnetwithin=131.123.35.0/24<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
pfs=no<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=add</DIV>
<DIV>&nbsp;</DIV>
<DIV># disabling OE connections<BR>conn 
packetdefault<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore</DIV>
<DIV>conn block<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
auto=ignore<BR>conn clear<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
auto=ignore<BR>conn 
clear-or-private<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
auto=ignore<BR>conn private<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
auto=ignore<BR>conn 
private-or-clear<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
auto=ignore<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>Thanks,</DIV>
<DIV>&nbsp;</DIV>
<DIV>Radu</DIV></FONT></BODY></HTML>