<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: Example Configuration Files</TITLE> <LINK HREF="ipsec-dhcp-howto-5.html" REL=previous> <LINK HREF="ipsec-dhcp-howto.html#toc6" REL=contents> </HEAD> <BODY> Next <A HREF="ipsec-dhcp-howto-5.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc6">Contents</A> <HR> <H2><A NAME="s6">6. Example Configuration Files</A></H2> <H2><A NAME="ipsec_conf"></A> <A NAME="ss6.1">6.1 ipsec.conf </A> </H2> <P> <HR> <PRE> # /etc/ipsec.conf - FreeS/WAN IPSEC configuration file config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes dumpdir=/root conn %default keyingtries=3 ikelifetime=3h keylife=1h disablearrivalcheck=no # --- RSA authentication using certificates authby=rsasig # --- left: this server left=%defaultroute leftid=@gw.company.net leftcert=gwCert.der leftupdown=/usr/local/lib/ipsec/updown.x509 # --- right: roadwarrior right=%any rightrsasigkey=%cert # --- preferred encryption algorithms esp=aes128,3des # --- load connections automatically at startup auto=add conn dhcp rekey=no keylife=30s rekeymargin=15s leftsubnet=0.0.0.0/0 leftprotoport=udp/bootps rightprotoport=udp/bootpc conn roadwarrior leftsubnet=192.168.0.0/23 rightsubnetwithin=192.168.1.0/24 conn roadwarrior-sentinel leftsubnet=0.0.0.0/0 rightsubnetwithin=192.168.1.0/24 </PRE> <HR> <P> <H2><A NAME="dhcpd_conf"></A> <A NAME="ss6.2">6.2 dhcpd.conf </A> </H2> <P> <HR> <PRE> # common server options ddns-update-style none; # vpn client class class "vpn-clients" { match if option agent.circuit-id = "ipsec0"; } # example net subnet 192.168.0.0 netmask 255.255.254.0 { option domain-name "example.net"; option domain-name-servers ns1.example.net, ns2.example.net; option routers gw.example.net; option netbios-name-servers ads.example.net; # lan clients pool { deny members of "vpn-clients"; range 192.168.0.50 192.168.0.254; default-lease-time 7200; max-lease-time 14400; } # vpn clients pool { allow members of "vpn-clients"; range 192.168.1.50 192.168.1.254; default-lease-time 3600; max-lease-time 7200; } } </PRE> <HR> <P> <H2><A NAME="dhcpd_conf_2"></A> <A NAME="ss6.3">6.3 dhcpd.conf - DHCP-Server and Relay on the same host</A> </H2> <P> <HR> <PRE> # common server options ddns-update-style none; # vpn client class class "vpn-clients" { match if option agent.circuit-id = "ipsec0"; } # example net shared-network vpn-networks { option domain-name "example.net"; option domain-name-servers ns1.example.net, ns2.example.net; option routers gw.example.net; option netbios-name-servers ads.example.net; # local subnet 127.0.0.0 netmask 255.0.0.0 { } # lan clients subnet 192.168.0.0 netmask 255.255.255.0 { deny members of "vpn-clients"; range 192.168.0.50 192.168.0.254; default-lease-time 7200; max-lease-time 14400; option subnet-mask 255.255.255.0; } # vpn clients subnet 192.168.1.0 netmask 255.255.255.0 { allow members of "vpn-clients"; range 192.168.1.50 192.168.1.254; default-lease-time 3600; max-lease-time 7200; option subnet-mask 255.255.255.0; } } </PRE> <HR> <P> <H2><A NAME="dhcprelay_conf"></A> <A NAME="ss6.4">6.4 dhcprelay.conf </A> </H2> <P> <HR> <PRE> # DHCP-Relay configuration file # Logfile LOGFILE="/var/log/dhcprelay.log" # IPSec devices (comma separated list including NO spaces) DEVICES="ipsec0" # The device over which the DHCP-Server can be reached SERVERDEVICE="eth1" # Hostname or IP Address of the DHCP-Server DHCPSERVER="192.168.0.10" </PRE> <HR> <P> <HR> Next <A HREF="ipsec-dhcp-howto-5.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc6">Contents</A> </BODY> </HTML>