<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: FreeS/WAN with X.509 Patch</TITLE> <LINK HREF="ipsec-dhcp-howto-3.html" REL=next> <LINK HREF="ipsec-dhcp-howto-1.html" REL=previous> <LINK HREF="ipsec-dhcp-howto.html#toc2" REL=contents> </HEAD> <BODY> <A HREF="ipsec-dhcp-howto-3.html">Next</A> <A HREF="ipsec-dhcp-howto-1.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc2">Contents</A> <HR> <H2><A NAME="s2">2. FreeS/WAN with X.509 Patch</A></H2> <H2><A NAME="ss2.1">2.1 Installation</A> </H2> <P>If not already done, download the latest <A HREF="http://www.freeswan.org/">FreeS/WAN release</A> (<EM>>= 1.98b</EM>) and its dedicated <A HREF="http://www.strongsec.com/freeswan/">X.509 patch</A> (<EM>>= 0.9.14</EM>). To apply and install the patch follow the instructions given in the <A HREF="http://www.strongsec.com/freeswan/install.htm">X.509 Patch Installation and Configuration Guide</A>. <H2><A NAME="ss2.2">2.2 Configuration</A> </H2> <P>In addition to the common transfer tunnels, an additional DHCP tunnel has to be configured, to transport the initial DHCP Traffic between the client and the gateway. This tunnel is only needed to negotiate the DHCP parameters and thus should be setup short-lived. Further, access should be restricted to protocol <EM>udp</EM> and ports <EM>bootps (67)</EM> and <EM>bootpc (68)</EM>, respectively. A sample configuration which should work in most cases is given below (the gateway is supposed to be <EM>on the left</EM>): <HR> <PRE> conn dhcp rekey=no keylife=30s rekeymargin=15s leftsubnet=0.0.0.0/0 leftprotoport=udp/bootps rightprotoport=udp/bootpc </PRE> <HR> Some clients do not use this connection to renew their DHCP-lease, but use the normal data tunnel instead. If so, you have to allow the client to send its whole traffic over the gateway (leftsubnet=0.0.0.0/0) as the renew of DHCP-leases has to be done by broadcast under some circumstances! SSH Sentinel 1.3.X is known to be such a client. As this is only a internal feature, the client's configuration must be set to the correct subnet address, not to 0.0.0.0/0! <HR> <PRE> conn roadwarrior leftsubnet=192.168.0.0/23 rightsubnetwithin=192.168.1.0/24 conn roadwarrior-sentinel leftsubnet=0.0.0.0/0 rightsubnetwithin=192.168.1.0/24 </PRE> <HR> The whole configuration file, including some general FreeS/WAN options, can be found in <A HREF="ipsec-dhcp-howto-6.html#ipsec_conf">Section 6.1</A>. <P> <HR> <A HREF="ipsec-dhcp-howto-3.html">Next</A> <A HREF="ipsec-dhcp-howto-1.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc2">Contents</A> </BODY> </HTML>