We would like to ask the dhcp package maintainers to keep in mind following problems when dhcp is re-packaged for Fedora Core 2 with 2.6 kernel. Description of problem: If the dhc relay agent is running on the machine which functions as VPN-gateway using IPSEC, it can not contact the dhcp server. Version-Release number of selected component (if applicable): dhcp-3.0pl1-9 FreeS/wan 1.99 on RHL8 How reproducible: always Steps to Reproduce: either 1. reboot the machine with dhcrelay and ipsec chkconfigged on or 1. service ipsec start 2. and then immidiately service dhcrelay start Actual results: dhcrelay can not contact the dhcp server through the virtual ipsec interface. Expected results: dhcrelay should relay dhcp information Additional info: 1) We had to change the startup priority in dhcrelay's init script to 98. There seems to be a time lag between when the ipsec service has started and when the virtual interface becomes available. 2) We had to recompile dhcrelay with USE_SOCKETS defined in includes/sites.h for dhcrelay to work over the virtual ipsec interface. Not sure whether this will still be an issue with ipsec integrated in the 2.6 kernel, so we just want to make this "pre-emptive" bug report to ensure that dhcrelay will work out of the box when fc2 is released.
Have you checked this on FC2?
Created attachment 98901 [details] enable dhcrelay to function when running on endpoint of ipsec tunnel Just finnished checking it on FC2 Test1: 1) startup priority Setkey does not create a virtual interface, so the physical interfaces dhcrelay listens on all already exist at the current startup priority. No need to change anything 2) define USE_SOCKETS Still, if USE_SOCKETS is not defined in includes/site.h, dhcrelay will not work through ipsec if it is on the vpn gateway itself. Looking at the IP-traffic, dhcrelay contacts the dhcp server and gets the response back, but does not forward it to the client. A patch for defining USE_SOCKETS is attached. However, the description of this function sounds a little bit scary, and I have no none-redhat clients available to test it with other dhcp clients.
Created attachment 98902 [details] enable dhcrelay to function when running on endpoint of ipsec tunnel Just finnished checking it on FC2 Test1: 1) startup priority Setkey does not create a virtual interface, so the physical interfaces dhcrelay listens on all already exist at the current startup priority. No need to change anything 2) define USE_SOCKETS Still, if USE_SOCKETS is not defined in includes/site.h, dhcrelay will not work through ipsec if it is on the vpn gateway itself. Looking at the IP-traffic, dhcrelay contacts the dhcp server and gets the response back, but does not forward it to the client. A patch for defining USE_SOCKETS is attached. However, the description of this function sounds a little bit scary, and I have no none-redhat clients available to test it with other dhcp clients.
Sorry for the delay in processing this bug - it somehow slipped through the cracks. Is this still an issue with FC-3/4 2.6+ kernel ipsec support ? I am investigating .
No, dhcp currently will NOT work with USE_SOCKETS - for many reasons. This is being worked on upstream at the ISC.