Next Previous Contents

2. FreeS/WAN with X.509 Patch

2.1 Installation

If not already done, download the latest FreeS/WAN release (>= 1.98b) and its dedicated X.509 patch (>= 0.9.14). To apply and install the patch follow the instructions given in the X.509 Patch Installation and Configuration Guide.

2.2 Configuration

In addition to the common transfer tunnels, an additional DHCP tunnel has to be configured, to transport the initial DHCP Traffic between the client and the gateway. This tunnel is only needed to negotiate the DHCP parameters and thus should be setup short-lived. Further, access should be restricted to protocol udp and ports bootps (67) and bootpc (68), respectively. A sample configuration which should work in most cases is given below (the gateway is supposed to be on the left): 

conn dhcp
        rekey=no
        keylife=30s
        rekeymargin=15s
        leftsubnet=0.0.0.0/0
        leftprotoport=udp/bootps
        rightprotoport=udp/bootpc
Some clients do not use this connection to renew their DHCP-lease, but use the normal data tunnel instead. If so, you have to allow the client to send its whole traffic over the gateway (leftsubnet=0.0.0.0/0) as the renew of DHCP-leases has to be done by broadcast under some circumstances! SSH Sentinel 1.3.X is known to be such a client. As this is only a internal feature, the client's configuration must be set to the correct subnet address, not to 0.0.0.0/0! 
conn roadwarrior
        leftsubnet=192.168.0.0/23
        rightsubnetwithin=192.168.1.0/24

conn roadwarrior-sentinel
        leftsubnet=0.0.0.0/0
        rightsubnetwithin=192.168.1.0/24
The whole configuration file, including some general FreeS/WAN options, can be found in Section 5.1.

Next Previous Contents