Subject: Re: [Design] dhclient and IPsec
To: Michael Richardson <>
From: Richard Guy Briggs <>
List: tech-net
Date: 02/16/2002 15:26:15
On Sat, Feb 16, 2002 at 02:48:16PM -0500, Michael Richardson wrote:
>   Some of you may know that I spend good portions of my time working
> on Linux FreeSWAN. 
>   At one of my colleagues place, he as a 802.11 network. His local
> firewall policy on that wire is proto 50,51, UDP 500, DNS and DHCP
> only. i.e. you had better do IPsec over that wire. No problem, my
> notebook (running NetBSD/i386) has what it takes thanks to KAME.


>   Initially, the firewall/802.11 gateway was not accepting on port 67 in.

That wasn't the case this week because it was fixed a couple of weeks
ago.  It was only DNS that was blocked this time.


>   Anyway, the dhclient renewals do not get through. Looking at the tcpdump
> from the Linux/FreeSWAN end, we can see the packets going in and out. But,
> they apparently never are received by dhclient on my notebook.

I should have done a filter on the 802.11 device looking for anything to
your machine and dug looking for the needle in haystack of the ESP
packet corresponding to the encrypted dhcp server reply.  That way, we
could be certain that my end was not dropping the packet in the IPsec
subsystem.  I don't have any reason to believe they didn't, but we don't
have any proof otherwise.


>   Later, it sees the broadcast:
> 16:01:10.530797 eth5 > xid:0x6501903f secs:276 C: [|bootp] [tos 0x10]
>   but, since there is an SA alive, the reply goes via IPsec. 
>   (Yes, FreeSWAN does not provide any alternative for this, and should)

This needs port selectors, which we don't have yet.

> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[

	slainte mhath, RGB

Richard Guy Briggs           --    ~\                 Auto-Free Ottawa! Canada
<>            --    \@       @           <>
No Internet Wiretapping!        --   _\\/\%___\\/\%        Vote! -- <>