[strongSwan] Support of forwarding of client DHCP requests instrongswan?
Peter Bieringer
pb at bieringer.de
Tue Jun 7 09:20:16 CEST 2016
Everything from DHCP results in a henn-egg problem in IKEv2 (IP level VPN) I would assume because in case no client IP is assigned, no IPsec-SA can be established.
Von: Christian Huldt
Gesendet: Dienstag, 7. Juni 2016 08:54
An: Peter Bieringer; ms at sys4.de; users at lists.strongswan.org
Betreff: Re: [strongSwan] Support of forwarding of client DHCP requests instrongswan?
Wouldn't be simpler to just get everything from DHCP, rather than
getting the IP address from one place and everything else from another?
Den 2016-06-06 kl. 07:41, skrev Peter Bieringer:
> Hi Michael,
>
> IPv4 address is already passed to WP10 by strongswan and accepted
> withouth external DHCP.
>
> The problem is that WP10 (and I would assume also other Windows System)
> is starting afterwards on the new link "DCHP Inform" to get additional
> information, and this can't be served by strongswan so far as I can see
> and therefore need to be catched and forwarded to a sophisticated DHCP
> server.
>
> And in my scenario (Split Tunneling = false) I want to feed new routes
> into WP10 via DCHP response to "Classless-Static-Route-Microsoft".
>
> Regards,
> Peter
>
> Am 05.06.2016 um 21:56 schrieb Michael Schwartzkopff:
>> Am Sonntag, 5. Juni 2016, 19:41:30 schrieb Peter Bieringer:
>>> Hi,
>>>
>>> after some hours of playing around and digging through Google I need now
>>> support...
>>>
>>> Initial problem: Windows Phone 10 VPN client where "Split Tunneling =
>>> false" can't be set (unlike Windows 10 where Powershell command will help)
>>>
>>> Probable solution: distribute routes to WP 10 via DHCP reply by
>>> responding with proper routes to the received DHCP inform message:
>>>
>>> Received on ipsec0 interface (tcpdump):
>>>
>>> 172.16.1.1.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request,
>>> length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]
>>> Client-IP 172.16.1.1
>>> Vendor-rfc1048 Extensions
>>> Magic Cookie 0x63825363
>>> DHCP-Message Option 53, length 1: Inform
>>> Client-ID Option 61, length 17: "***"
>>> Hostname Option 12, length 13: "Windows-Phone"
>>> Vendor-Class Option 60, length 8: "MSFT 5.0"
>>> Parameter-Request Option 55, length 6:
>>> Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask
>>> Classless-Static-Route-Microsoft, Domain-Name
>>>
>>>
>>> But I get now stucked, I haven't found any solution so far to feed this
>>> DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq
>>> listening on a tap interface with iptables NAT PREROUTING hints).
>>> dhcrelay also won't work, interface ipsec0 is not liked by any dhcp
>>> server...
>>>
>>> Has anyone a working example for strongswan how to feed DHCP client
>>> messages received after IPsec is established to a DCHP server and
>>> respond proper with additional information?
>>>
>>> e.g. something like a broadcast forwarding/snooper based on layer 2.
>>>
>>> BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of
>>> interfaces is not an option, only tun/tap interfaces are available.
>> As far as I understand, IKE2 should be possible to hand out it own IP
>> adresses.
>>
>> See:
>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
>> https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin
>>
>> Is this an otion in your setup? Or do the IP addresses really have to be
>> passed on to the central DHCP server?
>>
>> Mit freundlichen Grüßen,
>>
>> Michael Schwartzkopff
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
--
Christian Huldt
+46704612207
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160607/11f42651/attachment.html>
More information about the Users
mailing list