The introduction of the linux 2.6 kernel has resulted in a new, native IPSEC implementation. There are a number of significant improvements from this, but there is also a problem which precludes using IPSEC and DHCP together.
This worked with the 2.4 kernel and FreeS/WAN implementation due to the creation of virtual network interfaces, namely ipsec<n> which allows the use of policy routing of outgoing IPSEC packets to bypass the tunnel, since DHCP clients appear to listen to the raw socket. The downside to this was that firewall rule starting was problematic as a single step operation, since the ipsec<n> interfaces did not exist until the tunnels were started, but this was after the real interface was enabled, and thus either a two step firewall start up was required, or there was a period of operation without any firewall rules between starting the network interfaces and starting the IPSEC tunnel.
The other option is to use a very long lease period for the DHCP transaction. The first request comes before the IPSEC tunnel is started, and so will operate correctly. In an environment where wireless DHCP leases are only ever used for a fixed time, this method will work. But note that if any wireless device is operating long enough for the DHCP lease to expire, renewing it will fail, resulting in the device loosing connectivity through the access point.