[Openswan Users] help with dhcp

Alvaro Reguly openswan at adplabs.com.br
Tue Jul 20 18:44:13 CEST 2004 

A copy of my original post follows. I "just" want to connect to my 
intranet and samba from home or somewhere else. Looks like I am half way 
there, I can securily ping my external interface.

I don't know how to implement DHCP-Over-IPSec, so I will try with l2tp.

Thanks!

Álvaro

===


Hello, I have got it working with Fedora Core 2 with the RPMs from 
openswan.org and Windows XP, using certificates.

Now I need some advice to get it working with DHCP that is running behind 
the gateway.

I would like to enable the roadwarrior (WinXP) to get an IP from our 
intranet and use samba, etc.

roadwarrior  <--> gateway <--> LAN

Roadwarrior is Windows XP with signed certificates, getting dynamic IPs 
(nat and without nat).

Gateway is Fedora Core 2 with 2 nics, static public IP, and static private 
IP (172.16.0.0/16), it runs DHCP only on the internal NIC, suppling IPs 
from 172.16/16 range.

This is what my ipsec.conf looks like now. Can anyone advise me what else 
I need to get it working with my LAN ?

Thanks in advance.

version 2.0

config setup
     nat_traversal=yes
     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
     keyingtries=2
     compress=yes
     disablearrivalcheck=no
     authby=rsasig
     leftrsasigkey=%cert
     rightrsasigkey=%cert

conn roadwarrior-net
     #leftsubnet=(your_subnet)/(your_netmask)
     leftsubnet=172.16.0.0/16
     #leftsubnet=200.162.106.160/27
     also=roadwarrior

conn roadwarrior
     left=%defaultroute
     leftcert=adplabs_vortex.pem
     right=%any
     rightsubnet=vhost:%no,%priv
     auto=add
     pfs=yes

conn roadwarrior-l2tp
     pfs=no
     leftprotoport=17/0
     rightprotoport=17/1701
     also=roadwarrior

conn roadwarrior-l2tp-updatedwin
     pfs=no
     leftprotoport=17/1701
     rightprotoport=17/1701
     also=roadwarrior

conn roadwarrior-all
     leftsubnet=0.0.0.0/0
     also=roadwarrior





On Tue, 20 Jul 2004, Nate Carlson wrote:

> On Tue, 20 Jul 2004, Alvaro Reguly wrote:
>> Humm, thru Nate Carlson's howto I had the impression I could do it
>> without l2tpd.
>
> It is kind of possible to assign an internal ip using Xsourceip=, but it
> doesn't always work that well - the howto I wrote does not cover assigning
> an internal IP to the client.
>
> What problem are you trying to solve?
>
> ------------------------------------------------------------------------
> | nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
> |       depriving some poor village of its idiot since 1981            |
> ------------------------------------------------------------------------
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list