<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: DHCP-Relay</TITLE> <LINK HREF="ipsec-dhcp-howto-5.html" REL=next> <LINK HREF="ipsec-dhcp-howto-3.html" REL=previous> <LINK HREF="ipsec-dhcp-howto.html#toc4" REL=contents> </HEAD> <BODY> <A HREF="ipsec-dhcp-howto-5.html">Next</A> <A HREF="ipsec-dhcp-howto-3.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc4">Contents</A> <HR> <H2><A NAME="s4">4. DHCP-Relay</A></H2> <H2><A NAME="ss4.1">4.1 Installation</A> </H2> <P>Download the source archive from <A HREF="http://www.strongsec.com/freeswan/dhcprelay/">http://www.strongsec.com/freeswan/dhcprelay/</A> then unpack, configure, compile and install it: <HR> <PRE> bash# tar -xvzf dhcprelay-X.Y.tar.gz bash# cd dhcprelay-X.Y bash# ./configure bash# make bash# make install </PRE> <HR> In case of troubles, the relay can be compiled in debugging mode by using the <CODE>--enable-debug</CODE> argument: <HR> <PRE> bash# ./configure --enable-debug bash# make bash# make install </PRE> <HR> The DHCP-Relay can be started, stopped, restarted and observed using the <CODE>/etc/init.d/dhcprelay</CODE> startup script as shown in the following example: <HR> <PRE> bash# /etc/init.d/dhcprelay start Starting dhcprelay done bash# /etc/init.d/dhcprelay status Checking for service dhcprelay: running bash# /etc/init.d/dhcprelay stop Shutting down dhcprelay done </PRE> <HR> To make the relay starting automatically on start-up, insert the service with the <CODE>insserv</CODE> or <CODE>chkconfig</CODE>tool: <HR> <PRE> bash# cd /etc/init.d/ bash# insserv dhcprelay </PRE> <HR> Be aware of the fact that FreeS/WAN <EM>must</EM> already be running when you start the relay and thus if you restart the FreeS/WAN service, the DHCP-Relay <EM>must</EM> be restarted, too! <P> <H2><A NAME="ss4.2">4.2 Configuration</A> </H2> <P>The DHCP-Server configuration file (<CODE>/usr/local/etc/dhcprelay.conf</CODE>) contains four items: <UL> <LI><CODE>LOGFILE</CODE> sets the path to log-file of the relay.</LI> <LI><CODE>DEVICES</CODE> is a comma separated list of ipsec devices the relay should listen on and must contain no spaces!</LI> <LI><CODE>SERVERDEVICE</CODE> the device over which the DHCP-Server can be reached.</LI> <LI><CODE>DHCPSERVER</CODE> defines the host name or the IP address of the responsible DHCP-Server. If no server is given, the packets are forwarded by broadcast.</LI> </UL> It follows an example for one ipsec device and a known DHCP-Server, according to the <A HREF="ipsec-dhcp-howto-1.html#overview">overview scenario</A>. <HR> <PRE> # DHCP-Relay configuration file # Logfile LOGFILE="/var/log/dhcprelay.log" # IPSec devices (comma separated list including NO spaces) DEVICES="ipsec0" # The device over which the DHCP-Server can be reached SERVERDEVICE="eth1" # Hostname or IP Address of the DHCP-Server DHCPSERVER="192.168.0.10" </PRE> <HR> <P> <H2><A NAME="ss4.3">4.3 Running the DHCP-Server and the DHCP-Relay on the same Host</A> </H2> <P>Since release 0.3.1 of the DHCP-Relay this can easily be done by binding both, the relay and the server to the loopback device. Therefore, set <HR> <PRE> SERVERDEVICE="lo" </PRE> <HR> in the DHCP-Relay configuration file and add <CODE>lo</CODE> to the list of target devices when starting the DHCP-Server. For example: <HR> <PRE> bash# dhcpd lo eth1 </PRE> <HR> Further, the DHCP-Server must be able to reply to request comming over the <CODE>lo</CODE> device, which are not out of the dedicated subnet (127.0.0.0/8). For the ISC DHCP-Server the <CODE>subnet</CODE> configurations must therefore be embedded into the <CODE>shared-network</CODE> statement: <HR> <PRE> ... shared-network vpn-networks { ... subnet 127.0.0.0 netmask 255.0.0.0 { } subnet 192.168.0.0 netmask 255.255.255.0 { ... } subnet 192.168.1.0 netmask 255.255.255.0 { ... } ... } </PRE> <HR> See <A HREF="ipsec-dhcp-howto-6.html#dhcpd_conf_2">Section 6.3</A> for a complete configuration file. <P> <HR> <A HREF="ipsec-dhcp-howto-5.html">Next</A> <A HREF="ipsec-dhcp-howto-3.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc4">Contents</A> </BODY> </HTML>