[Openswan Users] dhcp over ipsec

John A. Sullivan III john.sullivan at nexusmgmt.com
Tue May 18 14:28:44 CEST 2004


It could be that I'm just not getting it as I haven't had the time to
think it through fully but isn't the 131.123.35.0/24 network on the
public side of the VPN gateway? Normally, one tunnels through the public
side to the network on the private side.

Let's say you have a gateway with a public address of 131.123.35.3 and a
private side address off 192.168.100.1 and a private network
192.168.100.0/24, you would normally set left=131.123.35.3 and
leftsubnet=192.168.100.0/24.

I've never tried granting DHCP-over-IPSec addresses that lived on the
public side of the gateway - John

On Tue, 2004-05-18 at 13:08, Radu Brumariu wrote:
> Hi,
> 
> I have tried from my computer from home,  and I get this error in the logs :
> 
>  cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
> CN=ipsec.cs.kent.edu, E=radu at cs.kent.edu]:17/0...24.223.166.109[C=US,
> ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu,
> E=radu at cs.kent.edu]:17/0===131.123.35.157/32
> 
> Am I specifying the wrong subnet ? I have rightsubnetwitin=131.123.35.0/24
> 131.123.35.157 is surely in 131.123.35.0/24 ... isn't it ?
> 
> In this scenario, the RW has a 192.162.1.x ip, and is successfully pulling a
> dhcp address, however, the realy IPSec connection is not initialized ...
> 
> Thanks,
> Radu
> 
> ----- Original Message ----- 
> From: "John A. Sullivan III" <john.sullivan at nexusmgmt.com>
> To: "Radu Brumariu" <radu at cs.kent.edu>
> Cc: <users at lists.openswan.org>
> Sent: Tuesday, May 18, 2004 10:43 AM
> Subject: Re: [Openswan Users] dhcp over ipsec
> 
> 
> > Assuming that you have some other network on the other side of your
> > gateway, you could try something like:
> >
> > ( RW w/ routable IP - e.g. 131.123.35.179 ... ) ---------------
> > 131.123.35.3(VPN GW)192.168.100.1  ---------- (DHCP srv giving
> > 192.168.100.155-159 -
> >
> >
> > On Tue, 2004-05-18 at 06:36, Radu Brumariu wrote:
> > > Well, I just wanted to test it out from the perspective of a machine
> > > with a regular IP.
> > > I will try it from an outside network ... see what that does. I used
> > > that IP since, it's easy for me to test having the machines easily
> > > accessible ...Anyhow, I will try that and let you know how that goes.
> > >
> > > Thanks,
> > > Radu
> > >
> > > >>
> > > >>There may be something really easy that I am doing wrong, but please
> advise.
> > > >>
> > > >>
> > > ><snip>
> > > >Now I really am confused :-)
> > > >So you are having the DHCP server assign addresses that are on the same
> > > >network as the originating address and you are trying to establish a
> > > >tunnel through a routing gateway but to communicate on the same subnet?
> > > >
> > > >If so, that sounds like trouble from a fundamental routing perspective.
> > > >
> > > >Where does the 192.168.1.100 fit into the picture?
> > > >
> > > >
> > -- 
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan at nexusmgmt.com
> >
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com



More information about the Users mailing list