[Openswan Users] dhcp over ipsec

Radu Brumariu radu at cs.kent.edu
Fri May 14 14:33:17 CEST 2004


Hello,

    I am setting up a VPN gateway and I am trying to assign to the connection clients an IP from the internal net ( which is a public IP ) from a DHCP address pool. 
I have setup the dhcpd server to listen on lo and the dhcrelay to relay ipsec0 to lo . I can see the DHCPDISCOVER packets and the DHCPOFFEr packets, but there is no DHCPREQUEST / DHCPACK packets following. 

    The DHCP server is allocating IPs in the range 131.123.35.155-160 / 255.255.255.0

    I am using SSH Sentinel 1.3.2 , openswan 2.1.2.rc3 and certificates.
    One more thing : If I don't specify that I want a DHCP address , I can create the tunnel ...

Here is my ipsec.conf

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $

# This file:  /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help: 
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples   


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        interfaces=%defaultroute
        uniqueids=yes
        strictcrlpolicy=yes
        virtual_private=%v4:192.168.0.0/16
        #nat_traversal=yes

conn %default
        keyingtries=3
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        disablearrivalcheck=no
        left=%defaultroute
        leftcert=ipsec_gateway.pem
        right=%any
        rightrsasigkey=%cert
        auto=ignore

# Add connections here.

# DHCP incoming connections
conn dhcp
        type=tunnel
        rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
        right=%any
        rekey=no
        keylife=2m
        rekeymargin=30s
        leftsubnet=0.0.0.0/0
        rightsubnet=vhost:%priv
        leftprotoport=udp/bootps
        rightprotoport=udp/bootpc
        pfs=no
        auto=add
#
# From lab - VPN connection
conn test
        type=tunnel
        rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
        leftsubnet=0.0.0.0/0
        leftupdown=/usr/local/lib/ipsec/_updown_x509
        rightsubnetwithin=131.123.35.0/24
        auto=add

# RoadWarrior VPN connection
conn roadwarrior
        type=tunnel
        rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
        leftsubnet=0.0.0.0/0
        leftupdown="/usr/local/lib/ipsec/_updown_x509 up-client"
        rightsubnet=vhost:%priv
        rightsubnetwithin=131.123.35.0/24
        pfs=no
        auto=add

# disabling OE connections
conn packetdefault
        auto=ignore
conn block
        auto=ignore
conn clear
        auto=ignore
conn clear-or-private
        auto=ignore
conn private
        auto=ignore
conn private-or-clear
        auto=ignore


Thanks,

Radu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040514/1e4dc7a5/attachment-0001.htm


More information about the Users mailing list