DHCPv4 Configuration of IPsec Tunnel Mode HOWTO Mario Strasser, mast@gmx.net v0.3.1, 27 August 2002 After a short scenario overview, the installation and configuration of all involved parts (FreeS/WAN, DHCP-Relay and DHCP-Server) is explained. To keep things simple, only the needed changes on the IPSec and DHCP configuration are shown. Thus, it is assumed that FreeS/WAN and a DHCP-Server are already appropriately configured. For a instal- lation from scratch the HOWTO includes a number of references to other documents. ______________________________________________________________________ Table of Contents 1. Introduction 1.1 Scenario Overview 1.2 Copyright 1.3 Disclaimer 1.4 Credits 2. FreeS/WAN with X.509 Patch 2.1 Installation 2.2 Configuration 3. DHCP-Server 3.1 Installation 3.2 Configuration 4. DHCP-Relay 4.1 Installation 4.2 Configuration 4.3 Running the DHCP-Server and the DHCP-Relay on the same Host 5. Example Configuration Files 5.1 ipsec.conf 5.2 dhcpd.conf 5.3 dhcpd.conf - DHCP-Server and Relay on the same host 5.4 dhcprelay.conf ______________________________________________________________________ 1. Introduction In many remote access scenarios, a mechanism for making the remote host appear to be present on the local corporate network is quite useful. This may be accomplished by assigning the host a "virtual" address from the corporate network, and then tunneling traffic via IPsec from the host's ISP-assigned address to the corporate security gateway. In IPv4, the Dynamic Host Configuration Protocol (DHCP) provides for such a remote host configuration. The Internet-Draft explores the requirements for host configuration in IPsec tunnel mode, and describes how DHCPv4 may be leveraged for configuration. This HOWTO describes the needed modifications of the FreeS/WAN IPSec configuration as well as of further needed parts, ex. the DHCP-Relay and DHCP-Server. The latest version of this document can be found at . 1.1. Scenario Overview The configuration examples in the following sections are based on the following scenario: Example LAN (192.168.0.0/23) +---------------+ | | Roadwarrior | +------------+ | +----------------+ | | | Security | | | DHCP-Server | | +-------+ |-----------| Gateway | |----| | | |Virtual|<==============>| and |----| | (192.168.0.10) | | | Host | |-----------| DHCP-Relay | | +----------------+ | +-------+ | IPSec- +------------+ | +---------------+ Tunnel | +----------------+ | | LAN-Clients | |----| and | | | LAN-Servers | | +----------------+ | | ... o Roadwarrior o Gets its real IP address - which is used for Internet connectivity - from the DHCP-Server of the ISP. This happens independent from the mechanisms described in this HOWTO. o Gets its virtual IP (VIP) - which is used to access the Example LAN through the IPSec tunnel - from the DHCP-Server of the Example LAN. o Security Gateway and DHCP-Relay o FreeS/WAN with applied X.509 patch (>= 0.9.14). o DHCP-Relay, forwarding from ipsec0 to the DHCP-Server over eth1. o DHCP-Server o DHCP-Server from the Internet Software Consortium (ISC), issuing leases to the LAN-Clients as well as to the VPN-Clients. o The address pool for the LAN-Clients is out of the 192.168.0.0/24 subnet and out of the 192.168.1.0/24 subnet for the VPN-Clients, respectively. 1.2. Copyright Copyright 2002 by Mario Strasser. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front- Cover Texts, and no Back-Cover Texts. 1.3. Disclaimer Use the information in this document at your own risk. I disavow any potential liability for the contents of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk. All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. You are strongly recommended to take a backup of your system before major installation and backups at regular intervals. 1.4. Credits I would like to thank Dr. Andreas Steffen for proofreading and giving me support with the configuration files. 2. FreeS/WAN with X.509 Patch 2.1. Installation If not already done, download the latest FreeS/WAN release (>= 1.98b) and its dedicated X.509 patch (>= 0.9.14). To apply and install the patch follow the instructions given in the X.509 Patch Installation and Configuration Guide . 2.2. Configuration In addition to the common transfer tunnels, an additional DHCP tunnel has to be configured, to transport the initial DHCP Traffic between the client and the gateway. This tunnel is only needed to negotiate the DHCP parameters and thus should be setup short-lived. Further, access should be restricted to protocol udp and ports bootps (67) and bootpc (68), respectively. A sample configuration which should work in most cases is given below (the gateway is supposed to be on the left): ______________________________________________________________________ conn dhcp rekey=no keylife=30s rekeymargin=15s leftsubnet=0.0.0.0/0 leftprotoport=udp/bootps rightprotoport=udp/bootpc ______________________________________________________________________ Some clients do not use this connection to renew their DHCP-lease, but use the normal data tunnel instead. If so, you have to allow the client to send its whole traffic over the gateway (leftsub- net=0.0.0.0/0) as the renew of DHCP-leases has to be done by broadcast under some circumstances! SSH Sentinel 1.3.X is known to be such a client. As this is only a internal feature, the client's configuration must be set to the correct subnet address, not to 0.0.0.0/0! ______________________________________________________________________ conn roadwarrior leftsubnet=192.168.0.0/23 rightsubnetwithin=192.168.1.0/24 conn roadwarrior-sentinel leftsubnet=0.0.0.0/0 rightsubnetwithin=192.168.1.0/24 ______________________________________________________________________ The whole configuration file, including some general FreeS/WAN options, can be found in ``Section 5.1''. 3. DHCP-Server 3.1. Installation As DHCPv4 is a well defined standard, almost any DHCP-Server can be used as long as it supports the DHCP Relay Agent Information Option. However, I recommend the usage of the DHCP-Server released by the Internet Software Consortium (ISC): . More information can be found in the DHCP mini-HOWTO or the related README file. 3.2. Configuration If the VPN-clients should not be given a IP out of the common address pool, either the DHCP Relay Agent Information Option or the Gateway Address can be used, to distinguish between VPN-clients and normal clients. The first contains the name of the ipsec device the request came from, the second is set to the gateway's IP address. The following sample shows how this may work. See ``Section 5.2'' for a complete configuration file. ______________________________________________________________________ # vpn client class class "vpn-clients" { match if option agent.circuit-id = "ipsec0"; } subnet ... { ... # lan clients pool { deny members of "vpn-clients"; ... } # vpn clients pool { allow members of "vpn-clients"; ... } } ______________________________________________________________________ General information about how to setup a DHCP-Server can be found either in the DHCP mini-HOWTO or in the man page of the DHCP-Server configuration file (dhcpd.conf (5)). 4. DHCP-Relay 4.1. Installation Download the source archive from then unpack, configure, compile and install it: ______________________________________________________________________ bash# tar -xvzf dhcprelay-X.Y.tar.gz bash# cd dhcprelay-X.Y bash# ./configure bash# make bash# make install ______________________________________________________________________ In case of troubles, the relay can be compiled in debugging mode by using the --enable-debug argument: ______________________________________________________________________ bash# ./configure --enable-debug bash# make bash# make install ______________________________________________________________________ The DHCP-Relay can be started, stopped, restarted and observed using the /etc/init.d/dhcprelay startup script as shown in the following example: ______________________________________________________________________ bash# /etc/init.d/dhcprelay start Starting dhcprelay done bash# /etc/init.d/dhcprelay status Checking for service dhcprelay: running bash# /etc/init.d/dhcprelay stop Shutting down dhcprelay done ______________________________________________________________________ To make the relay starting automatically on start-up, insert the ser- vice with the insserv or chkconfigtool: ______________________________________________________________________ bash# cd /etc/init.d/ bash# insserv dhcprelay ______________________________________________________________________ Be aware of the fact that FreeS/WAN must already be running when you start the relay and thus if you restart the FreeS/WAN service, the DHCP-Relay must be restarted, too! 4.2. Configuration The DHCP-Server configuration file (/usr/local/etc/dhcprelay.conf) contains four items: o LOGFILE sets the path to log-file of the relay. o DEVICES is a comma separated list of ipsec devices the relay should listen on and must contain no spaces! o SERVERDEVICE the device over which the DHCP-Server can be reached. o DHCPSERVER defines the host name or the IP address of the responsible DHCP-Server. If no server is given, the packets are forwarded by broadcast. It follows an example for one ipsec device and a known DHCP-Server, according to the ``overview scenario''. ___________________________________________________________________ # DHCP-Relay configuration file # Logfile LOGFILE="/var/log/dhcprelay.log" # IPSec devices (comma separated list including NO spaces) DEVICES="ipsec0" # The device over which the DHCP-Server can be reached SERVERDEVICE="eth1" # Hostname or IP Address of the DHCP-Server DHCPSERVER="192.168.0.10" ___________________________________________________________________ 4.3. Running the DHCP-Server and the DHCP-Relay on the same Host Since release 0.3.1 of the DHCP-Relay this can easily be done by binding both, the relay and the server to the loopback device. Therefore, set ______________________________________________________________________ SERVERDEVICE="lo" ______________________________________________________________________ DHCP-Relay configuration file and add lo to the list of target devices when starting the DHCP-Server. For example: ______________________________________________________________________ bash# dhcpd lo eth1 ______________________________________________________________________ Further, the DHCP-Server must be able to reply to request comming over the lo device, which are not out of the dedicated subnet (127.0.0.0/8). For the ISC DHCP-Server the subnet setting must there- fore be set to any: ______________________________________________________________________ ... subnet 0.0.0.0 netmask 0.0.0.0 { ... } ______________________________________________________________________ See ``Section 5.2'' for a complete configuration file. 5. Example Configuration Files 5.1. ipsec.conf ______________________________________________________________________ # /etc/ipsec.conf - FreeS/WAN IPSEC configuration file config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes dumpdir=/root conn %default keyingtries=3 ikelifetime=3h keylife=1h disablearrivalcheck=no # --- RSA authentication using certificates authby=rsasig # --- left: this server left=%defaultroute leftid=@gw.company.net leftcert=gwCert.der leftupdown=/usr/local/lib/ipsec/updown.x509 # --- right: roadwarrior right=%any rightrsasigkey=%cert # --- preferred encryption algorithms esp=aes128,3des # --- load connections automatically at startup auto=add conn dhcp rekey=no keylife=30s rekeymargin=15s leftsubnet=0.0.0.0/0 leftprotoport=udp/bootps rightprotoport=udp/bootpc conn roadwarrior leftsubnet=192.168.0.0/23 rightsubnetwithin=192.168.1.0/24 conn roadwarrior-sentinel leftsubnet=0.0.0.0/0 rightsubnetwithin=192.168.1.0/24 ______________________________________________________________________ 5.2. dhcpd.conf ______________________________________________________________________ # common server options ddns-update-style none; # vpn client class class "vpn-clients" { match if option agent.circuit-id = "ipsec0"; } # example net subnet 192.168.0.0 netmask 255.255.254.0 { option domain-name "example.net"; option domain-name-servers ns1.example.net, ns2.example.net; option routers gw.example.net; option netbios-name-servers ads.example.net; # lan clients pool { deny members of "vpn-clients"; range 192.168.0.50 192.168.0.254; default-lease-time 7200; max-lease-time 14400; } # vpn clients pool { allow members of "vpn-clients"; range 192.168.1.50 192.168.1.254; default-lease-time 3600; max-lease-time 7200; } } ______________________________________________________________________ 5.3. dhcpd.conf - DHCP-Server and Relay on the same host ______________________________________________________________________ # common server options ddns-update-style none; # vpn client class class "vpn-clients" { match if option agent.circuit-id = "ipsec0"; } # example net subnet 0.0.0.0 netmask 0.0.0.0 { option domain-name "example.net"; option domain-name-servers ns1.example.net, ns2.example.net; option routers gw.example.net; option netbios-name-servers ads.example.net; # lan clients pool { deny members of "vpn-clients"; range 192.168.0.50 192.168.0.254; default-lease-time 7200; max-lease-time 14400; option subnet-mask 255.255.255.0; } # vpn clients pool { allow members of "vpn-clients"; range 192.168.1.50 192.168.1.254; default-lease-time 3600; max-lease-time 7200; option subnet-mask 255.255.255.0; } } ______________________________________________________________________ 5.4. dhcprelay.conf ______________________________________________________________________ # DHCP-Relay configuration file # Logfile LOGFILE="/var/log/dhcprelay.log" # IPSec devices (comma separated list including NO spaces) DEVICES="ipsec0" # The device over which the DHCP-Server can be reached SERVERDEVICE="eth1" # Hostname or IP Address of the DHCP-Server DHCPSERVER="192.168.0.10" ______________________________________________________________________