DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: Introduction

1. Introduction

In many remote access scenarios, a mechanism for making the remote host appear to be present on the local corporate network is quite useful. This may be accomplished by assigning the host a "virtual" address from the corporate network, and then tunneling traffic via IPsec from the host's ISP-assigned address to the corporate security gateway. In IPv4, the Dynamic Host Configuration Protocol (DHCP) provides for such a remote host configuration. The Internet-Draft <draft-ietf-ipsec-dhcp-13.txt> explores the requirements for host configuration in IPsec tunnel mode, and describes how DHCPv4 may be leveraged for configuration. This HOWTO describes the needed modifications of the FreeS/WAN IPSec configuration as well as of further needed parts, ex. the DHCP-Relay and DHCP-Server.

The latest version of this document can be found at http://www.strongsec.com/freeswan/dhcprelay/.

1.1 Scenario Overview

The configuration examples in the following sections are based on the following scenario:


                                        Example LAN
                                      (192.168.0.0/23)
+---------------+                             |
|  Roadwarrior  |           +------------+    |    +----------------+
|               |           | Security   |    |    | DHCP-Server    |
|  +-------+    |-----------| Gateway    |    |----|                |
|  |Virtual|<==============>| and        |----|    | (192.168.0.10) | 
|  | Host  |    |-----------| DHCP-Relay |    |    +----------------+
|  +-------+    |  IPSec-   +------------+    | 
+---------------+  Tunnel                     |    +----------------+
                                              |    | LAN-Clients    |
                                              |----| and            |
                                              |    | LAN-Servers    |
                                              |    +----------------+
                                              |  
                                              |    ...

Roadwarrior
- Gets its real IP address - which is used for Internet connectivity - from the DHCP-Server of the ISP. This happens independent from the mechanisms described in this HOWTO.
- Gets its virtual IP (VIP) - which is used to access the Example LAN through the IPSec tunnel - from the DHCP-Server of the Example LAN.
Security Gateway and DHCP-Relay
- FreeS/WAN with applied X.509 patch (>= 0.9.14).
- DHCP-Relay, forwarding from ipsec0 to the DHCP-Server over eth1.
DHCP-Server
- DHCP-Server from the Internet Software Consortium (ISC), issuing leases to the LAN-Clients as well as to the VPN-Clients.
- The address pool for the LAN-Clients is out of the 192.168.0.0/24 subnet and out of the 192.168.1.0/24 subnet for the VPN-Clients, respectively.

1.2 Copyright

Copyright 2002 by Mario Strasser. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

1.3 Disclaimer

Use the information in this document at your own risk. I disavow any potential liability for the contents of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk.

All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Naming of particular products or brands should not be seen as endorsements.

You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.

1.4 Credits

I would like to thank Dr. Andreas Steffen for proofreading and giving me support with the configuration files.

Next Previous Contents