[strongSwan] DHCP!
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu May 3 19:52:08 CEST 2018
The dhcp plugin or generally strongSwan has nothing to do with that.
Windows itself is supposed to make a DHCP request over the established tunnel. Check what it sends with wireshark or tcpdump.
Use the information from the CorrectTrafficDump[1] page.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump
On 03.05.2018 18:58, Christian Salway wrote:
> I have noticed that Windows 10 is not asking for DHCP though
>
> May 3 16:55:37 ip-10-0-5-202 charon-systemd[30549]: parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
>
>
>
> Where as OSX is
>
> May 3 16:53:07 ip-10-0-5-202 charon-systemd[30505]: parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR *DHCP* DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>
>
>
> <http://www.naimuri.com>
>
>> On 3 May 2018, at 17:34, Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>> wrote:
>>
>> Hi,
>>
>> I've been trying to fix the (lack of) routing passed on to Windows 10 by trying the DHCP answer found at *Split-routing-on-Windows-10-and-Windows-10-Mobile* [1] but I cant get the DHCP to work. strongSwan doesnt make any requests to it.
>>
>> I have installed and configured dnsmasq with just the options in the support guide and dnsmasq is listening on tcp port 53 (DNS) and 67 (DHCP).
>>
>> I have rebuilt strongswan with dhcp support.
>>
>>
>> *$ /etc/dnsmasq.conf*
>> dhcp-vendorclass=set:msipsec,MSFT 5.0
>> dhcp-range=tag:msipsec,192.168.103.0,static
>> dhcp-option=tag:msipsec,6
>> dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0
>>
>> *$ netstat -tunlp*
>> Active Internet connections (only servers)
>> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
>> *tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 29951/dnsmasq *
>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1143/sshd
>> tcp6 0 0 :::53 :::* LISTEN 29951/dnsmasq
>> tcp6 0 0 :::22 :::* LISTEN 1143/sshd
>> udp 0 0 0.0.0.0:4500 0.0.0.0:* 30147/charon-system
>> udp 0 0 0.0.0.0:500 0.0.0.0:* 30147/charon-system
>> udp 0 0 0.0.0.0:53 0.0.0.0:* 29951/dnsmasq
>> *udp 0 0 0.0.0.0:67 0.0.0.0:* 29951/dnsmasq *
>> udp 0 0 0.0.0.0:68 0.0.0.0:* 30147/charon-system
>> udp 0 0 0.0.0.0:68 0.0.0.0:* 1005/dhclient
>> udp6 0 0 :::4500 :::* 30147/charon-system
>> udp6 0 0 :::500 :::* 30147/charon-system
>> udp6 0 0 :::53 :::* 29951/dnsmasq
>>
>>
>> *$ swanctl --stats*
>> ...
>> loaded plugins: charon-systemd charon-systemd aes openssl des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default vici updown eap-identity eap-mschapv2 eap-dynamic eap-tls xauth-generic *dhcp*
>>
>> *$ /etc/strongswan.d/charon/dhcp.conf *
>> dhcp {
>> force_server_address = yes
>> load = yes
>> server = 10.0.15.255
>> }
>>
>> *$ /etc/swanctl/conf.d/policy.conf*
>> connections {
>> clients {
>> version = 2
>> send_cert = always
>> encap = yes
>> unique = replace
>> proposals = aes256-sha256-prfsha256-modp2048-modp1024
>> pools = pool1
>> local {
>> id = vpnserver
>> certs = vpnserver.crt
>> }
>> remote {
>> auth = eap-mschapv2
>> eap_id = %any
>> }
>> children {
>> net {
>> local_ts = 10.0.0.0/20
>> }
>> }
>> }
>> }
>> pools {
>> pool1 {
>> addrs = 172.16.0.0/12
>> subnet = 10.0.0.0/18
>> dhcp = 10.0.5.202
>> }
>> }
>>
>> The route I would expect to see on Windows 10 should simulate
>>
>> *route ADD 10.0.0.0 MASK 255.255.240.0 172.16.0.X*
>>
>>
>> *The connection log *
>>
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: IKE_SA rsa[1] established between 10.0.5.202[vpnserver1]...148.252.225.26[192.168.1.31]
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: scheduling rekeying in 13750s
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: maximum IKE_SA lifetime 15190s
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual IP %any
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning new lease to 'christian.salway.naimuri.com <http://christian.salway.naimuri.com/>'
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning virtual IP 172.16.0.1 to peer 'christian.salway.naimuri.com <http://christian.salway.naimuri.com/>'
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual IP %any6
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: no virtual IP found for %any6 requested by 'christian.salway.naimuri.com <http://christian.salway.naimuri.com/>'
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: CHILD_SA net{1} established with SPIs cac7b9af_i 02fc4cb2_o and TS 10.0.0.0/18 === 172.16.0.1/32
>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DHCP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
>>
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Split-routing-on-Windows-10-and-Windows-10-Mobile
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180503/37862138/attachment.sig>
More information about the Users
mailing list