[Users] DHCP-OVER-IPSec HELP PLEASE ( ROAD WARRIOR VPN )

From: Denning, Donald (Donald.Denning_at_hp.com)
Date: Tue Jan 14 2003 - 18:45:10 CET

• Next message: Ken Bantoft: "Re: [Users] Freeswan 1.99 to Cisco 3620"
• Previous message: claudio_at_profiletecnologia.com.br: "[Users] Freeswan - Cisco 2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am at my whits end. I am sure I am missing something so obvious I feel
afraid to ask..

I have the following configuration. All address are for example only. A
Wireless client gets its IP address for the public net from a DHCP
SERVER on the PUBLIC side. (192.58.206.n). I create an IPSEC SA to the
Gateway that stradles the public and private (16.11.0.n) networks. I
Then want the road-warrior client to optain a private ip address
(16.11.99.n) from DHCP server that runs on the gateway machine
(which also runs DHCPRELAY).

I can get the tunnel up just fine and ping the Gateway but I can't get
the dynamic IP address for the private side on the road warrior. I never
see any requests go out on the phyiscal wire.

Is there something I have to do on the client to get it to make the 2nd
DHCP request for the IPSECn adapter?

The DHCP pool for the dynamic addresses for the IPSEC clients is
16.11.99.n/24.

Both machines are running
Linux 2.4.18
Ipsec 1.99 w/DHCPRELAY 0.3.1, X.509patch-0.9.15

              Road Warrior
(192.58.206.n (from DHCP SERVER-1 on NET X))
               +
                   + (PUBLIC)
               +
               +
                  eth1 (192.58.206.60 (static))
           IPSEC GW - Running DHCP Server for subnet 16.11.99.1/24 and
DHCPRELAY 0.3.1
              eth0 (16.11.0.63 (static))
               +(PRIVATE)
               +
          INTERNAL NET 16.11.0.1/24

Here is the ipsec.conf file for the SERVER (LEFT IS GATEWAY/RIGHT IS RW)
The only difference in the files is that on the road-warrior the
interface is ipsec0=eth0.

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        dumpdir=/root

# defaults for subsequent connection descriptions
# (these defaults will soon go away)

conn %default
        keyingtries=3
        ikelifetime=3h
        keylife=1h
        disablearrivalcheck=no
        authby=rsasig
        left=192.58.206.60
        leftcert=svpnCert.pem
        right=%any
        rightrsasigkey=%cert

#include ipsec.svpn.conf
#left is gateway
#right is road Warrior

conn dhcp
        type=tunnel
        rekey=no
        rekeymargin=300s
        leftsubnet=0.0.0.0/0
        leftprotoport=udp/bootps
        rightprotoport=udp/bootpc
        auto=add

conn road-warrior
        leftsubnet=16.11.0.0/8
        rightsubnetwithin=16.11.99.1/24
        auto=add

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] Freeswan 1.99 to Cisco 3620"
• Previous message: claudio_at_profiletecnologia.com.br: "[Users] Freeswan - Cisco 2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:40 CET