<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=DE link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Everything from DHCP results in a henn-egg problem in IKEv2 (IP level VPN) I would assume because in case no client IP is assigned, no IPsec-SA can be established</span><span lang=EN-US>.<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>Von: </b><a href="mailto:christian@solvare.se">Christian Huldt</a><br><b>Gesendet: </b>Dienstag, 7. Juni 2016 08:54<br><b>An: </b><a href="mailto:pb@bieringer.de">Peter Bieringer</a>; <a href="mailto:ms@sys4.de">ms@sys4.de</a>; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br><b>Betreff: </b>Re: [strongSwan] Support of forwarding of client DHCP requests instrongswan?</p></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal>Wouldn't be simpler to just get everything from DHCP, rather than</p><p class=MsoNormal>getting the IP address from one place and everything else from another?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Den 2016-06-06 kl. 07:41, skrev Peter Bieringer:</p><p class=MsoNormal>> Hi Michael,</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> IPv4 address is already passed to WP10 by strongswan and accepted</p><p class=MsoNormal>> withouth external DHCP.</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> The problem is that WP10 (and I would assume also other Windows System)</p><p class=MsoNormal>> is starting afterwards on the new link "DCHP Inform" to get additional</p><p class=MsoNormal>> information, and this can't be served by strongswan so far as I can see</p><p class=MsoNormal>> and therefore need to be catched and forwarded to a sophisticated DHCP</p><p class=MsoNormal>> server.</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> And in my scenario (Split Tunneling = false) I want to feed new routes</p><p class=MsoNormal>> into WP10 via DCHP response to "Classless-Static-Route-Microsoft".</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Regards,</p><p class=MsoNormal>> Peter</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Am 05.06.2016 um 21:56 schrieb Michael Schwartzkopff:</p><p class=MsoNormal>>> Am Sonntag, 5. Juni 2016, 19:41:30 schrieb Peter Bieringer:</p><p class=MsoNormal>>>> Hi,</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> after some hours of playing around and digging through Google I need now</p><p class=MsoNormal>>>> support...</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> Initial problem: Windows Phone 10 VPN client where "Split Tunneling =</p><p class=MsoNormal>>>> false" can't be set (unlike Windows 10 where Powershell command will help)</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> Probable solution: distribute routes to WP 10 via DHCP reply by</p><p class=MsoNormal>>>> responding with proper routes to the received DHCP inform message:</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> Received on ipsec0 interface (tcpdump):</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> 172.16.1.1.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request,</p><p class=MsoNormal>>>> length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]</p><p class=MsoNormal>>>> Client-IP 172.16.1.1</p><p class=MsoNormal>>>> Vendor-rfc1048 Extensions</p><p class=MsoNormal>>>> Magic Cookie 0x63825363</p><p class=MsoNormal>>>> DHCP-Message Option 53, length 1: Inform</p><p class=MsoNormal>>>> Client-ID Option 61, length 17: "***"</p><p class=MsoNormal>>>> Hostname Option 12, length 13: "Windows-Phone"</p><p class=MsoNormal>>>> Vendor-Class Option 60, length 8: "MSFT 5.0"</p><p class=MsoNormal>>>> Parameter-Request Option 55, length 6:</p><p class=MsoNormal>>>> Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask</p><p class=MsoNormal>>>> Classless-Static-Route-Microsoft, Domain-Name</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> But I get now stucked, I haven't found any solution so far to feed this</p><p class=MsoNormal>>>> DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq</p><p class=MsoNormal>>>> listening on a tap interface with iptables NAT PREROUTING hints).</p><p class=MsoNormal>>>> dhcrelay also won't work, interface ipsec0 is not liked by any dhcp</p><p class=MsoNormal>>>> server...</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> Has anyone a working example for strongswan how to feed DHCP client</p><p class=MsoNormal>>>> messages received after IPsec is established to a DCHP server and</p><p class=MsoNormal>>>> respond proper with additional information?</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> e.g. something like a broadcast forwarding/snooper based on layer 2.</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>> BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of</p><p class=MsoNormal>>>> interfaces is not an option, only tun/tap interfaces are available.</p><p class=MsoNormal>>> As far as I understand, IKE2 should be possible to hand out it own IP </p><p class=MsoNormal>>> adresses. </p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> See:</p><p class=MsoNormal>>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp</p><p class=MsoNormal>>> https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> Is this an otion in your setup? Or do the IP addresses really have to be </p><p class=MsoNormal>>> passed on to the central DHCP server?</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> Mit freundlichen Grüßen,</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> Michael Schwartzkopff</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> _______________________________________________</p><p class=MsoNormal>>> Users mailing list</p><p class=MsoNormal>>> Users@lists.strongswan.org</p><p class=MsoNormal>>> https://lists.strongswan.org/mailman/listinfo/users</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-- </p><p class=MsoNormal>Christian Huldt</p><p class=MsoNormal>+46704612207</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>