Hi Carlos, sorry for the delay. Here's my suggestion:
Assign a static internal IP address to the VPN router: 172.17.1.2 You can try to set up a DHCP relay agent on the VPN router but I doubt that either Linksys or Dlink supports that. Can you use a dedicated linux box instead of a hardware appliance? You could also set up a complete separate DHCP server in the branch office but then you have two different DHCP server you have to administrate although I don't think that this is too much of an issue. As I said, I'm not an expert when it comes to DHCP but I doubt that DHCP works across a VPN like you imagined it to work. DHCP uses ethernet broadcasts which don't go through the IPsec tunnel. But try setting up a DHCP relay agent. This agent might communicate with the main DHCP server over IP. -Daniel Carlos Lopez wrote: > Thanks for your reply Daniel, > > Then as I follow your suggestion I'll try to implement this: > > 1- Build up the Linux Router (Corporate): > > ISP IP= 1.2.3.4 > LAN IP= 172.16.0.1/24 > > 2- Buildup DHCP and DNS server with Bind9: > > LAN IP= 172.16.0.2 > IP POOLS corporate LAN= 172.16.0.10 - 172.16.0.254 > IP POOLS ExternalUsers= 172.17.1.3 - 172.17.1.254 (Via VPN) > > > 3- Buildup Email server with Qmail or anyother software: > > LAN IP= 172.16.0.3 > > 4- Buildup Web server with apache: > > LAN IP = 172.16.0.4 > > 5- Buildup the VPN server: > > IP POOL = 172.17.0.2-254 (These are the IPs that Linksys or Dlink device will > get after a successful authentication occurs) > > -Install and configure a DHCP relay from ISC.org. > > Then: > > 1- Configure device (Linksy or Dlink or anyother) with: > > ISP IP= 1.2.3.5 > VPN SERVER IP = 1.2.3.4:VPNPORT > VPN ASSIGNED IP FROM POOL= 172.17.0.2 (If it successful authenticate) > VPN SERVER KEY/PASS = "abcd" > NAT-T = ENABLED? > > The question reside on this, how can I do to let users get theirs IPs from > the corporate LAN's DHCP server (range 172.17.1.x/24)?. I'd like to do this > because It would be ease for me to handle avery IP from branch office, let's > say I can assign a group of address to Counter and another group of address > to sales and each will have a diffent access and configuration, let's say > Counter cannot browse Internet but Sales do. > > 2- Plugin a 24 port switch to device (linksys or Dlink) and from there the PC > stations. > > 3- Try to ping from corporate LAN pc (172.16.0.11) to ExternalUsers > (172.17.1.11) and viceversa. > > 4- Do some more traffic, let's say VNC. > > > Carlos. > > > --- El sáb 10-oct-09, Daniel Mentz > <[email protected]> escribió: > >> De: Daniel Mentz <[email protected]> >> Asunto: Re: [strongSwan] DHCP/Any Traffic over an established VPN tunnel >> A: "Carlos Lopez" <[email protected]> >> Cc: [email protected] >> Fecha: sábado, 10 octubre, 2009, 4:14 pm >> Hi Carlos, >> >> I learned from your e-mail that the subnet your branch >> office uses is >> >> 172.17.0.0/24 >> >> Why don't you assign the static (internal) IP address >> 172.17.0.3 to the Linksys / Dlink router and set up a >> separate DHCP server in that subnet? You could also set up a >> DHCP Relay agent and use the DHCP server in the head >> office. >> >> I doubt that DHCP works across IPsec tunnels because it >> uses broadcasts on the ethernet layer. >> >> -Daniel >> >> > > > > ____________________________________________________________________________________ > ¡Obtén la mejor experiencia en la web! > Descarga gratis el nuevo Internet Explorer 8. > http://downloads.yahoo.com/ieak8/?l=e1 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
