If not already done, download the latest FreeS/WAN release (>= 1.98b) and its dedicated X.509 patch (>= 0.9.14). To apply and install the patch follow the instructions given in the X.509 Patch Installation and Configuration Guide.
In addition to the common transfer tunnels, an additional DHCP tunnel has to be configured, to transport the initial DHCP Traffic between the client and the gateway. This tunnel is only needed to negotiate the DHCP parameters and thus should be setup short-lived. Further, access should be restricted to protocol udp and ports bootps (67) and bootpc (68), respectively. A sample configuration which should work in most cases is given below (the gateway is supposed to be on the left):
conn dhcp rekey=no keylife=30s rekeymargin=15s leftsubnet=0.0.0.0/0 leftprotoport=udp/bootps rightprotoport=udp/bootpc
conn roadwarrior leftsubnet=192.168.0.0/23 rightsubnetwithin=192.168.1.0/24 conn roadwarrior-sentinel leftsubnet=0.0.0.0/0 rightsubnetwithin=192.168.1.0/24