From: Jussi Torhonen (jt_at_ssh.com)
Date: Wed Aug 21 2002 - 12:03:31 CEST
Jason A. Pattie wrote:
>
> Has anyone actually gotten SSHSentinel to work by having it request a
> DHCP over IPSec IP address?
Yes, we have. Using FreeSWAN 1.98b, x509patch-0.9.14, dhcprelay 0.3 and
even Delete SA Notification patch notify_delete-freeswan-1.98b-aes and
DHCP over IPSec work beautifully. FreeSWAN is running in a Red Hat Linux
6.2 box with kernel 2.2.20. DHCP server used by dhcprelay is a Red Hat
Linux 7.2 running dhcp-2.0pl5-8.
Reading all the documentation and examples of those patches gives you a
good start for a working FreeSWAN set.
Here's the config used (note PSK auth):
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
authby=rsasig
right=%any
rightrsasigkey=%cert
#
# public ip for FreeSWAN SGW is:
left=172.16.13.2
leftnexthop=172.16.13.254
#
auto=add
conn dhcp
type=tunnel
authby=secret
rekey=no
keylife=20s
rekeymargin=10s
right=%any
leftsubnet=0.0.0.0/0
leftprotoport=udp/bootps
rightprotoport=udp/bootpc
# we want to use AES Rijndael encryption:
auth=esp
esp=aes128-md5
ike=aes128-md5
conn roadwarrior-sentinel
type=tunnel
authby=secret
right=%any
leftsubnet=0.0.0.0/0
#
# our internal DHCP server distributes Virtual IP's
# for SSH Sentinel clients from this subnet:
rightsubnetwithin=10.10.10.0/24
#
# we want to use AES Rijndael encryption:
auth=esp
esp=aes128-md5
ike=aes128-md5
DHCP relay is launched as:
/usr/local/sbin/dhcprelay ipsec0 eth1 10.2.1.41 \
>> /var/log/dhcprelay.log &
Internal DHCP server is running at 10.2.1.41 and the DHCP server
(dhcpd.conf) is configured as:
# Dummy empty scope to get dhcpd running:
subnet 10.2.1.41 netmask 255.255.255.255 {
}
shared-network DhcpOverIPSec {
# Private interface of FreeSWAN is 10.2.1.14:
subnet 10.2.1.14 netmask 255.255.255.255 {
}
subnet 10.10.10.0 netmask 255.255.255.0 {
range 10.10.10.100 10.10.10.199;
option subnet-mask 255.255.255.0;
option domain-name "my.private.namespace";
option domain-name-servers 10.2.1.1, 10.2.1.2;
option time-offset 2; # Eastern Europe Time
option ntp-servers 10.2.1.1;
option netbios-name-servers 10.2.1.3, 10.2.1.4;
# option netbios-node-type 8; # H-node
option netbios-node-type 2; # P-node
default-lease-time 21600; # 6 hours
max-lease-time 43200; # 12 hours
}
}
DHCP ports 67-68/udp of this DHCP server are rejected by iptables
firewall rules by default. Only source address 10.2.1.14 (FreeSWAN host)
is able to contact this DHCP server. This is done because I don't want
this DHCP server to act like a default DHCP server for subnet 10.2.1.0/24.
If you want to use your existing private DHCP server to distribute
Virtual IP addresses for SSH Sentinel clients via dhcprelay, it's
possible too.
Be sure to route that DHCP over IPSec virtual ip subnet to the private
interface of your FreeSWAN gateway. If this is not done, you can ping
that private interface only through the VPN tunnel and not any further
hosts of the target private LAN.
Looking forward to get new NAT-T patch which is compatible with the
current patch set. Then it looks even better.
Best regards,
Jussi
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Wed Aug 21 2002 - 17:20:28 CEST