dhcpd, dhcrelay, and ipsec VPN

[dontek]

Now that OpenBSD 4.7 is out I am trying to get DHCP over IPSec working on my VPN for remote clients.

My VPN gateway also hosts dhcpd.

My question is, since dhcpd runs on the gateway, can I just make it listen on enc0 to serve leases, or do I need to use dhcrelay and have dhcpd listen on lo and relay enc to lo?

Or am I totally thinking I can do this the wrong way?

Thanks in advance.

[jggimi]

I don't know if I've ever seen DHCP "under" IPSec discussed in regards to OpenBSD before.

I run IPSec for wireless security, with DHCP, but the leases are established before the ESP tunnels are established. They have to be, since I use an isakmpd(8) PKE infrastructure. Those require UDP communication between existing IP addresses for SA and flow negotiations, tunnel setup, key change, and tear down.

AFAIK, dhcpd(8) and dhclient(8) use bpf(4) for communication. I don't know, therefore, how one would go about applying ESP or AH protocols to such packets.

As for your question about enc(4), that is, as far as I know, only usable with pf(4) and tcpdump(8).

[dontek]

per dhcrelay man page:

"dhcrelay supports relaying of DHCP traffic to configure IPsec tunnel mode clients when listening on the enc(4) interface. The DHCP server has to support RFC 3046 to echo back the relay agent information to allow state-less DHCP reply to IPsec tunnel mapping."

also

command line switch -o = "Add the relay agent information option. By default, this is only enabled for the enc(4) interface."

I believe OpenBSD 4.7 dhcpd supports RFC 3046.

If I'm correct, then it's just a matter of making it work...