<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: Introduction</TITLE> <LINK HREF="ipsec-dhcp-howto-2.html" REL=next> <LINK HREF="ipsec-dhcp-howto.html#toc1" REL=contents> </HEAD> <BODY> <A HREF="ipsec-dhcp-howto-2.html">Next</A> Previous <A HREF="ipsec-dhcp-howto.html#toc1">Contents</A> <HR> <H2><A NAME="s1">1. Introduction</A></H2> <P> <!-- (root)!introduction --> In many remote access scenarios, a mechanism for making the remote host appear to be present on the local corporate network is quite useful. This may be accomplished by assigning the host a "virtual" address from the corporate network, and then tunneling traffic via IPsec from the host's ISP-assigned address to the corporate security gateway. In IPv4, the Dynamic Host Configuration Protocol (DHCP) provides for such a remote host configuration. The Internet-Draft <draft-ietf-ipsec-dhcp-13.txt> explores the requirements for host configuration in IPsec tunnel mode, and describes how DHCPv4 may be leveraged for configuration. This HOWTO describes the needed modifications of the FreeS/WAN IPSec configuration as well as of further needed parts, ex. the DHCP-Relay and DHCP-Server. <P>The latest version of this document can be found at <A HREF="http://www.strongsec.com/freeswan/dhcprelay/">http://www.strongsec.com/freeswan/dhcprelay/</A>. <P> <H2><A NAME="overview"></A> <A NAME="ss1.1">1.1 Scenario Overview </A> </H2> <P>The configuration examples in the following sections are based on the following scenario: <BLOCKQUOTE><CODE> <PRE> Example LAN (192.168.0.0/23) +---------------+ | | Roadwarrior | +------------+ | +----------------+ | | | Security | | | DHCP-Server | | +-------+ |-----------| Gateway | |----| | | |Virtual|<==============>| and |----| | (192.168.0.10) | | | Host | |-----------| DHCP-Relay | | +----------------+ | +-------+ | IPSec- +------------+ | +---------------+ Tunnel | +----------------+ | | LAN-Clients | |----| and | | | LAN-Servers | | +----------------+ | | ... </PRE> </CODE></BLOCKQUOTE> <UL> <LI>Roadwarrior <UL> <LI>Gets its <EM>real IP</EM> address - which is used for Internet connectivity - from the DHCP-Server of the ISP. This happens independent from the mechanisms described in this HOWTO.</LI> <LI>Gets its <EM>virtual IP</EM> (VIP) - which is used to access the <EM>Example LAN</EM> through the IPSec tunnel - from the DHCP-Server of the <EM>Example LAN</EM>. </LI> </UL> </LI> <LI>Security Gateway and DHCP-Relay <UL> <LI>FreeS/WAN with applied X.509 patch (>= 0.9.14).</LI> <LI>DHCP-Relay, forwarding from <CODE>ipsec0</CODE> to the DHCP-Server over <CODE>eth1</CODE>.</LI> </UL> </LI> <LI>DHCP-Server <UL> <LI>DHCP-Server from the Internet Software Consortium (ISC), issuing leases to the LAN-Clients as well as to the VPN-Clients.</LI> <LI>The address pool for the LAN-Clients is out of the 192.168.0.0/24 subnet and out of the 192.168.1.0/24 subnet for the VPN-Clients, respectively.</LI> </UL> </LI> </UL> <P> <H2><A NAME="ss1.2">1.2 Copyright</A> </H2> <P>Copyright 2002 by Mario Strasser. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. <P> <H2><A NAME="ss1.3">1.3 Disclaimer</A> </H2> <P>Use the information in this document at your own risk. I disavow any potential liability for the contents of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk. <P>All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. <P>Naming of particular products or brands should not be seen as endorsements. <P>You are strongly recommended to take a backup of your system before major installation and backups at regular intervals. <P> <H2><A NAME="ss1.4">1.4 Credits</A> </H2> <P>I would like to thank Dr. Andreas Steffen for proofreading and giving me support with the configuration files. <P> <HR> <A HREF="ipsec-dhcp-howto-2.html">Next</A> Previous <A HREF="ipsec-dhcp-howto.html#toc1">Contents</A> </BODY> </HTML>