[Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?

From: Jussi Torhonen (jt_at_ssh.com)
Date: Fri Nov 29 2002 - 09:46:09 CET

• Next message: postmaster: "[Users] Returned mail--"LANGUAGE""
• Previous message: m.moenckemeyer_at_mod-consulting.de: "[Users] DHCP Relay with FreeSWan and Sentinel"
• Next in thread: mlafon_at_arkoon.net: "Re: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Maybe reply: mlafon_at_arkoon.net: "Re: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Reply: Mark Weaver: "RE: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Maybe reply: mlafon_at_arkoon.net: "Re: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm using FreeS/WAN 1.99, x509patch 0.9.15, algo patch 0.8.0, delete SA
notification patch, dhcprelay 0.3.1 and finally NAT-T patch v0.4. I've
succeeded getting NAT-T to work with our SSH Sentinel VPN client, when
no virtual IP is used or when Manual virtual IP addressing is used. Just
added 'nat_traversal=yes' under 'config setup'.

But I cannot get it working with DHCP-over-IPSec. I guess someone has
made it here, so would you please quote your ipsec.conf for such a
Roadwarrior gateway supporting AES, DHCP-over-IPSec and NAT-T. I've
tried the following configuration. Note, that an internal DHCP server
gives virtual ip addresses from 10.2.67.0/24 subnet. It's RW gateway and
remote private network is 'leftsubnet=0.0.0.0/0' so we may have a routed
subnets there as well (I mean not only a single 192.168.1.0/24 subnet).

Without NAT-T my DHCP-over-IPSec works beautifully, so this is not a
dhcprelay nor dhcpd issue.

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

config setup
         interfaces=%defaultroute
         klipsdebug=none
         plutodebug=none
         plutoload=%search
         uniqueids=yes
         # enable nat-t support:
         nat_traversal=yes

conn %default
         keyingtries=1
         disablearrivalcheck=no
         authby=secret
         keyexchange=ike
         ikelifetime=240m
         keylife=60m
         pfs=yes
         compress=no
         left=%defaultroute
         auto=add

conn dhcp
         type=tunnel
         rekey=no
         ikelifetime=60s
         keylife=20s
         rekeymargin=10s
         right=%any
         leftsubnet=0.0.0.0/0
         leftprotoport=udp/bootps
         rightprotoport=udp/bootpc
         auth=esp
         esp=aes128-md5
         ike=aes128-md5

conn rw-psk-3des-doi
         type=tunnel
         authby=secret
         right=%any
         auth=esp
         esp=aes128-md5
         ike=aes128-md5
         # remote network for sentinel vpn rule:
         leftsubnet=0.0.0.0/0
         # virtual ip address scope for sentinel remote clients:
         rightsubnetwithin=10.2.67.0/24

# end of /etc/ipsec.conf

Regards,
Jussi

--
SSH Communications Security Corp, http://www.ssh.com
SSH Sentinel VPN Client, http://www.ipsec.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: postmaster: "[Users] Returned mail--"LANGUAGE""
• Previous message: m.moenckemeyer_at_mod-consulting.de: "[Users] DHCP Relay with FreeSWan and Sentinel"
• Next in thread: mlafon_at_arkoon.net: "Re: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Maybe reply: mlafon_at_arkoon.net: "Re: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Reply: Mark Weaver: "RE: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Maybe reply: mlafon_at_arkoon.net: "Re: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Dec 03 2002 - 05:21:02 CET