<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: Example Configuration Files</TITLE>
<LINK HREF="ipsec-dhcp-howto-5.html" REL=previous>
<LINK HREF="ipsec-dhcp-howto.html#toc6" REL=contents>
</HEAD>
<BODY>
Next
<A HREF="ipsec-dhcp-howto-5.html">Previous</A>
<A HREF="ipsec-dhcp-howto.html#toc6">Contents</A>
<HR>
<H2><A NAME="s6">6. Example Configuration Files</A></H2>
<H2><A NAME="ipsec_conf"></A> <A NAME="ss6.1">6.1 ipsec.conf </A>
</H2>
<P>
<HR>
<PRE>
# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
dumpdir=/root
conn %default
keyingtries=3
ikelifetime=3h
keylife=1h
disablearrivalcheck=no
# --- RSA authentication using certificates
authby=rsasig
# --- left: this server
left=%defaultroute
leftid=@gw.company.net
leftcert=gwCert.der
leftupdown=/usr/local/lib/ipsec/updown.x509
# --- right: roadwarrior
right=%any
rightrsasigkey=%cert
# --- preferred encryption algorithms
esp=aes128,3des
# --- load connections automatically at startup
auto=add
conn dhcp
rekey=no
keylife=30s
rekeymargin=15s
leftsubnet=0.0.0.0/0
leftprotoport=udp/bootps
rightprotoport=udp/bootpc
conn roadwarrior
leftsubnet=192.168.0.0/23
rightsubnetwithin=192.168.1.0/24
conn roadwarrior-sentinel
leftsubnet=0.0.0.0/0
rightsubnetwithin=192.168.1.0/24
</PRE>
<HR>
<P>
<H2><A NAME="dhcpd_conf"></A> <A NAME="ss6.2">6.2 dhcpd.conf </A>
</H2>
<P>
<HR>
<PRE>
# common server options
ddns-update-style none;
# vpn client class
class "vpn-clients" {
match if option agent.circuit-id = "ipsec0";
}
# example net
subnet 192.168.0.0 netmask 255.255.254.0 {
option domain-name "example.net";
option domain-name-servers ns1.example.net, ns2.example.net;
option routers gw.example.net;
option netbios-name-servers ads.example.net;
# lan clients
pool {
deny members of "vpn-clients";
range 192.168.0.50 192.168.0.254;
default-lease-time 7200;
max-lease-time 14400;
}
# vpn clients
pool {
allow members of "vpn-clients";
range 192.168.1.50 192.168.1.254;
default-lease-time 3600;
max-lease-time 7200;
}
}
</PRE>
<HR>
<P>
<H2><A NAME="dhcpd_conf_2"></A> <A NAME="ss6.3">6.3 dhcpd.conf - DHCP-Server and Relay on the same host</A>
</H2>
<P>
<HR>
<PRE>
# common server options
ddns-update-style none;
# vpn client class
class "vpn-clients" {
match if option agent.circuit-id = "ipsec0";
}
# example net
shared-network vpn-networks {
option domain-name "example.net";
option domain-name-servers ns1.example.net, ns2.example.net;
option routers gw.example.net;
option netbios-name-servers ads.example.net;
# local
subnet 127.0.0.0 netmask 255.0.0.0 { }
# lan clients
subnet 192.168.0.0 netmask 255.255.255.0 {
deny members of "vpn-clients";
range 192.168.0.50 192.168.0.254;
default-lease-time 7200;
max-lease-time 14400;
option subnet-mask 255.255.255.0;
}
# vpn clients
subnet 192.168.1.0 netmask 255.255.255.0 {
allow members of "vpn-clients";
range 192.168.1.50 192.168.1.254;
default-lease-time 3600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
}
}
</PRE>
<HR>
<P>
<H2><A NAME="dhcprelay_conf"></A> <A NAME="ss6.4">6.4 dhcprelay.conf </A>
</H2>
<P>
<HR>
<PRE>
# DHCP-Relay configuration file
# Logfile
LOGFILE="/var/log/dhcprelay.log"
# IPSec devices (comma separated list including NO spaces)
DEVICES="ipsec0"
# The device over which the DHCP-Server can be reached
SERVERDEVICE="eth1"
# Hostname or IP Address of the DHCP-Server
DHCPSERVER="192.168.0.10"
</PRE>
<HR>
<P>
<HR>
Next
<A HREF="ipsec-dhcp-howto-5.html">Previous</A>
<A HREF="ipsec-dhcp-howto.html#toc6">Contents</A>
</BODY>
</HTML>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
5858dc21eedbfccce934a6003b522bd6
>
files
>
18
