AW: AW: AW: Problems with destination IP of DHCP Offer Packages

Martin Krellmann martin2002 at web.de
Mon Jul 13 18:49:10 UTC 2009 

>I don't think subnet 0.0.0.0 definition will work. It needs to be the
>proper subnet where the clients are, even if this is the same IP as the
>external ethernet interface. You can restrict dhcpd from listening only
>to a particular interface by adding it as a command line parameter
>(dhcpd ... ipsec0) as you have done.

In my opinion this will only work with a relay agent... The external
addresses of the clients are varying.
If I configure my external address as subnet address (only the single
address, e.g. netmask 255.255.255.255) then dhcpd claims that the pool
addresses are not a part of the subnet...

>Is the other end of the ipsec0 tunnel a single client or a subnet? Can
>you run a relay agent on a host at the other end of the ipsec tunnel?

It is a single client. And no I cannot run a relay agent on the remote
clients... I have windows systems on this site running a VPN Client (NCP)

>THe other thing that might kill this is that dhcpd can only work with
>broadcast capable interfaces, so for example ppp interfaces will not
>work. Not sure how ipsec0 behaves, but it may not work and you will
>need to use a dhcp relay on the remote subnet.

As I know ipsec tunnels should be able to broadcast packets... But actually
the ipsec0 interface has no "broadcast" flag:

gateway:~ # ip addr show dev ipsec0
6: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:0a:e6:26:28:f8 brd ff:ff:ff:ff:ff:ff
    inet 91.64.137.252/23 brd 255.255.255.255 scope global ipsec0

What about having a relay agent on the same host as the dhcp server and the
ipsec gateway... Most dhcp-over-ipsec configurations suppose this setup, but
with the ISC relay agent I could not get the routing between relay agent and
the dhcp server working. 

Greets,
Martin.

-----Ursprüngliche Nachricht-----
Von: dhcp-users-bounces at lists.isc.org
[mailto:dhcp-users-bounces at lists.isc.org] Im Auftrag von Glenn Satchell
Gesendet: Montag, 13. Juli 2009 03:39
An: dhcp-users at lists.isc.org
Betreff: Re: AW: AW: Problems with destination IP of DHCP Offer Packages


>Date: Sun, 12 Jul 2009 17:30:56 +0200
>From: "Martin Krellmann" <martin2002 at web.de>
>Subject: AW: AW: Problems with destination IP of DHCP Offer Packages
>To: "'Users of ISC DHCP'" <dhcp-users at lists.isc.org>
>
>The configuration...
>
>ping-check false;
>
>class "ipsec-clients" {
>    #match if option agent.circuit-id = "ipsec0";
>	match if substring(hardware,0,1)=1f;
>}
>
>subnet 0.0.0.0 netmask 0.0.0.0 {
>    authoritative;
>    option domain-name-servers 192.168.10.253,192.168.10.1;
>    option domain-name "domainname";
>    option subnet-mask 255.255.255.0;
>    option routers 192.168.10.253;
>	#ping-check false;
>	pool {
>		range 10.0.1.1 10.0.1.253;
>		allow members of "ipsec-clients";
>		default-lease-time 3600;
>		max-lease-time 7200;
>		}
>}
>
>I would probably use a relay agent... but as I've said the routing of the
>packages does not work.

I don't think subnet 0.0.0.0 definition will work. It needs to be the
proper subnet where the clients are, even if this is the same IP as the
external ethernet interface. You can restrict dhcpd from listening only
to a particular interface by adding it as a command line parameter
(dhcpd ... ipsec0) as you have done.

Is the other end of the ipsec0 tunnel a single client or a subnet? Can
you run a relay agent on a host at the other end of the ipsec tunnel?

THe other thing that might kill this is that dhcpd can only work with
broadcast capable interfaces, so for example ppp interfaces will not
work. Not sure how ipsec0 behaves, but it may not work and you will
need to use a dhcp relay on the remote subnet.
  
regards,
-glenn

>Greets,
>Martin.
>
>-----Ursprüngliche Nachricht-----
>Von: dhcp-users-bounces at lists.isc.org
>[mailto:dhcp-users-bounces at lists.isc.org] Im Auftrag von Simon Hobson
>Gesendet: Sonntag, 12. Juli 2009 10:26
>An: Users of ISC DHCP
>Betreff: Re: AW: Problems with destination IP of DHCP Offer Packages
>
>Martin Krellmann wrote:
>
>>Multiple interfaces match the same subnet: eth0 eth2
>>Multiple interfaces match the same shared network: eth0 eth2
>>Multiple interfaces match the same subnet: eth0 eth1
>>Multiple interfaces match the same shared network: eth0 eth1
>>Multiple interfaces match the same subnet: eth0 ipsec0
>>Multiple interfaces match the same shared network: eth0 ipsec0
>
>Oh dear !
>
>To start with, is an ipsec interface supported ? I know PPP isn't.
>
>Looking at those warnings, it's clear that your config is really bad. 
>You need to post the results of "ifconfig" and your dhcp server 
>config.
>
>-- 
>Simon Hobson
>
>Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
>author Gladys Hobson. Novels - poetry - short stories - ideal as
>Christmas stocking fillers. Some available as e-books.
>_______________________________________________
>dhcp-users mailing list
>dhcp-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
>_______________________________________________
>dhcp-users mailing list
>dhcp-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/dhcp-users
>

_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list