[Openswan Users] help with dhcp

Michael Smith msmith at cbnco.com
Wed Jul 21 10:14:00 CEST 2004 

On Tue, 20 Jul 2004, Jacco de Leeuw wrote:

> Alvaro Reguly wrote:
>
> > Humm, thru Nate Carlson's howto I had the impression I could
>  > [assign internal IP addresses to Road Warriors - JdL] without l2tpd.
>
> I'm not sure if it's in Nate's docs, but perhaps it can be achieved
> with some advanced routing tricks. Perhaps someone else can chime in
> on this? I only know that DHCP-over-IPsec and L2TP-over-IPsec will
> support this scenario.

You can set a VPN-routable IP address on a loopback alias on the road
warrior:

ifconfig lo:0 192.168.90.3

In the tunnel definitions, set 192.168.90.3/32 as the subnet of the
client, so you would have

# same on client and server
conn client
	rightsubnet=192.168.90.3/32
	rightid="..."
	auto=start
	also=clients-common

# on clients only
conn clients-common
	left=ip.of.central.site
	leftid="..."
	leftsubnet=192.168.1.0/24
	right=%defaultroute
	rightcert=/etc/x509cert.der

# on server only
conn clients-common
	left=ip.of.central.site
	leftnexthop=gw.of.central.site
	leftid="..."
	leftsubnet=192.168.1.0/24
	leftcert=/etc/x509cert.der
	right=%any
	rekey=no

To make the configuration a little easier you can specify the rightsubnet
in the tunnel and derive the lo:0 address from that:

vpnaddr=`grep '^[^#]*rightsubnet=.*/32' /etc/ipsec.d/*.tun |
         sed 's,^.*=\(.*\)/.*$,\1,'`
ifconfig lo:0 $vpnaddr netmask 255.255.255.255 || exit 1

Now for this to work you need to tell every client application on the VPN
client to bind to the address on lo:0. If that's too much work, you can
use `ip' to change the source address for the route added by pluto. I
hacked up my _updown script for the special case where rightsubnet has a
/32:

--- utils/_updown       27 Feb 2004 18:04:21 -0000      1.1.1.1
+++ utils/_updown       6 Jul 2004 16:42:25 -0000       1.2
@@ -53,7 +53,25 @@
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great
care.
 uproute() {
-       doroute add
+
+       # set up
+       # a loopback alias with an IP on the VPN network, and use
+       # rightsubnet=thatip/32.
+       # Set the source address properly for any packets destined to the
+       # other end:
+       if [ "$PLUTO_MY_CLIENT" = "$PLUTO_MY_CLIENT_NET/32" ] &&
+          ifconfig | grep -q "\<$PLUTO_MY_CLIENT_NET\>"
+       then
+               echo "$0: enabling routing trickery for "  \
+                       "$PLUTO_MY_CLIENT_NET." 1>&2
+               ip route add $PLUTO_PEER_CLIENT via $PLUTO_NEXT_HOP     \
+                        dev $PLUTO_INTERFACE src $PLUTO_MY_CLIENT_NET
+
+               # We don't have to do anything special for downroute.
+               # The same "route del" command will work.
+       else
+               doroute add
+       fi
 }
 downroute() {
        doroute del


Mike

More information about the Users mailing list