Sophie: dhcprelay-0.3.2b-4mdv2010.0 i586

dhcprelay-0.3.2b-4mdv2010.0.i586.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: FreeS/WAN with X.509 Patch</TITLE>
 <LINK HREF="ipsec-dhcp-howto-3.html" REL=next>
 <LINK HREF="ipsec-dhcp-howto-1.html" REL=previous>
 <LINK HREF="ipsec-dhcp-howto.html#toc2" REL=contents>
</HEAD>
<BODY>
<A HREF="ipsec-dhcp-howto-3.html">Next</A>
<A HREF="ipsec-dhcp-howto-1.html">Previous</A>
<A HREF="ipsec-dhcp-howto.html#toc2">Contents</A>
<HR>
<H2><A NAME="s2">2. FreeS/WAN with X.509 Patch</A></H2>

<H2><A NAME="ss2.1">2.1 Installation</A>
</H2>

<P>If not already done, download the latest
<A HREF="http://www.freeswan.org/">FreeS/WAN release</A> 
(<EM>>= 1.98b</EM>) and its dedicated  
<A HREF="http://www.strongsec.com/freeswan/">X.509 patch</A>
(<EM>>= 0.9.14</EM>). To apply and install the patch 
follow the instructions given in the
<A HREF="http://www.strongsec.com/freeswan/install.htm">X.509 Patch Installation and Configuration Guide</A>.
<H2><A NAME="ss2.2">2.2 Configuration</A>
</H2>

<P>In addition to the common transfer tunnels, an additional DHCP tunnel
has to be configured, to transport the initial DHCP Traffic between the
client and the gateway. This tunnel is only needed to negotiate
the DHCP parameters and thus should be setup short-lived. Further, 
access should be restricted to protocol <EM>udp</EM> and ports 
<EM>bootps (67)</EM> and <EM>bootpc (68)</EM>, respectively.
A sample configuration which should work in most cases is given below
(the gateway is supposed to be <EM>on the left</EM>):
<HR>
<PRE>
conn dhcp
        rekey=no
        keylife=30s
        rekeymargin=15s
        leftsubnet=0.0.0.0/0
        leftprotoport=udp/bootps
        rightprotoport=udp/bootpc
</PRE>
<HR>

Some clients do not use this connection to renew their DHCP-lease, but
use the normal data tunnel instead. If so, you have to allow the
client to send its whole traffic over the gateway (leftsubnet=0.0.0.0/0)
as the renew of DHCP-leases has to be done by broadcast under some
circumstances! SSH Sentinel 1.3.X is known to be such a client. As this
is only a internal feature, the client's configuration 
must be set to the correct subnet address, not to 0.0.0.0/0!
<HR>
<PRE>
conn roadwarrior
        leftsubnet=192.168.0.0/23
        rightsubnetwithin=192.168.1.0/24

conn roadwarrior-sentinel
        leftsubnet=0.0.0.0/0
        rightsubnetwithin=192.168.1.0/24
</PRE>
<HR>

The whole configuration file, including some general FreeS/WAN options,
can be found in 
<A HREF="ipsec-dhcp-howto-6.html#ipsec_conf">Section 6.1</A>.  
<P>
<HR>
<A HREF="ipsec-dhcp-howto-3.html">Next</A>
<A HREF="ipsec-dhcp-howto-1.html">Previous</A>
<A HREF="ipsec-dhcp-howto.html#toc2">Contents</A>
</BODY>
</HTML>