<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">@Thor - ok. so in your professional capacity, would you say there is no way strongSwan can fix the Windows 10 issue of not adding a route when it connects?</div><div class=""><br class=""></div><div class=""><a href="http://www.naimuri.com" class="">
</a></div><div><br class=""><blockquote type="cite" class=""><div class="">On 3 May 2018, at 21:31, Thor Simon <<a href="mailto:Thor.Simon@twosigma.com" class="">Thor.Simon@twosigma.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">If you would like to supply addresses to your clients via IKE Mode Config, the DHCP plugin is one means by which StrongSwan can obtain those addresses.<br class=""><br class="">-----Original Message-----<br class="">From: Users <<a href="mailto:users-bounces@lists.strongswan.org" class="">users-bounces@lists.strongswan.org</a>> On Behalf Of Christian Salway<br class="">Sent: Thursday, May 3, 2018 4:27 PM<br class="">To: Noel Kuntze <<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" class="">noel.kuntze+strongswan-users-ml@thermi.consulting</a>><br class="">Cc: <a href="mailto:users@lists.strongswan.org" class="">users@lists.strongswan.org</a><br class="">Subject: Re: [strongSwan] DHCP!<br class=""><br class="">So what is the purpose of the dhcp plugin then?<br class=""><br class=""><br class=""><blockquote type="cite" class="">On 3 May 2018, at 18:52, Noel Kuntze <<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" class="">noel.kuntze+strongswan-users-ml@thermi.consulting</a>> wrote:<br class=""><br class="">The dhcp plugin or generally strongSwan has nothing to do with that.<br class="">Windows itself is supposed to make a DHCP request over the established tunnel. Check what it sends with wireshark or tcpdump.<br class="">Use the information from the CorrectTrafficDump[1] page.<br class=""><br class=""><br class=""><br class="">[1] <br class=""><a href="https://secure-web.cisco.com/1_h6MioB9kRbPuO5b1NQmVwz1nqJkemt__rVJDcQQ" class="">https://secure-web.cisco.com/1_h6MioB9kRbPuO5b1NQmVwz1nqJkemt__rVJDcQQ</a><br class="">GwkgjLSHN9I9JoBZBEcAqjKD_5JA0ERTo8_VfvEFeKJB8dSX07lcvTeBS3AUT65L9TlZde<br class="">LnjMQ1tT7u2fooVfDiBZH_KQa--YuV0DEqLoHuthVgHmdogOWD5qk7juajhfoBk0ac4NP3<br class="">y6GFGZMIpHdgAhdWxnlBSVRIhm2wqLbHNCjnnjo6yF3vAem0DrMfRD0Hh2JIgJNpGOQTSO<br class="">cOV1Td/https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrongswan%2Fwik<br class="">i%2FCorrectTrafficDump<br class=""><br class="">On 03.05.2018 18:58, Christian Salway wrote:<br class=""><blockquote type="cite" class="">I have noticed that Windows 10 is not asking for DHCP though<br class=""><br class="">May  3 16:55:37 ip-10-0-5-202 charon-systemd[30549]: parsed IKE_AUTH <br class="">request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 <br class="">DNS6 SRV6) SA TSi TSr ]<br class=""><br class=""><br class=""><br class="">Where as OSX is<br class=""><br class="">May  3 16:53:07 ip-10-0-5-202 charon-systemd[30505]: parsed IKE_AUTH <br class="">request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR *DHCP* <br class="">DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA <br class="">TSi TSr ]<br class=""><br class=""><br class=""><br class=""><http://secure-web.cisco.com/120V9LfMi3vtxE-5KjUz6POqa_DjZsebmPiWu-gf<br class="">xO92VdCKYyGXPwa2b45TgV8ioDiU8hQxLJulX_e8gv6s2_huFqoLv6i8Dsb2GCAdc-eF8<br class="">XffvE55b-hODoMWYVgaZ1HxjZMxgoE_FIm4W8_fcqb400nhU2NJDK0g-xmbELy5ofDZm2<br class="">XJs1LOU4R8zJk0q861JtaOeyUMofB9Xcgb6HVJHloCiwQHD0hffI6sHpep-sGzj5Ja4Cj<br class="">-hWoPlVrbgdshHYrh9sAnjKiyiz0M0RA/http%3A%2F%2Fwww.naimuri.com><br class=""><br class=""><blockquote type="cite" class="">On 3 May 2018, at 17:34, Christian Salway <christian.salway@naimuri.com <mailto:christian.salway@naimuri.com>> wrote:<br class=""><br class="">Hi,<br class=""><br class="">I've been trying to fix the (lack of) routing passed on to Windows 10 by trying the DHCP answer found at *Split-routing-on-Windows-10-and-Windows-10-Mobile* [1] but I cant get the DHCP to work.  strongSwan doesnt make any requests to it.<br class=""><br class="">I have installed and configured dnsmasq with just the options in the support guide and dnsmasq is listening on tcp port 53 (DNS) and 67 (DHCP).<br class=""><br class="">I have rebuilt strongswan with dhcp support.<br class=""><br class=""><br class="">*$ /etc/dnsmasq.conf*<br class="">dhcp-vendorclass=set:msipsec,MSFT 5.0 <br class="">dhcp-range=tag:msipsec,192.168.103.0,static<br class="">dhcp-option=tag:msipsec,6<br class="">dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0<br class=""><br class="">*$ netstat -tunlp*<br class="">Active Internet connections (only servers)<br class="">Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name<br class="">*tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      29951/dnsmasq   *<br class="">tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1143/sshd       <br class="">tcp6       0      0 :::53                   :::*                    LISTEN      29951/dnsmasq   <br class="">tcp6       0      0 :::22                   :::*                    LISTEN      1143/sshd       <br class="">udp        0      0 0.0.0.0:4500            0.0.0.0:*                           30147/charon-system<br class="">udp        0      0 0.0.0.0:500             0.0.0.0:*                           30147/charon-system<br class="">udp        0      0 0.0.0.0:53              0.0.0.0:*                           29951/dnsmasq   <br class="">*udp        0      0 0.0.0.0:67              0.0.0.0:*                           29951/dnsmasq   *<br class="">udp        0      0 0.0.0.0:68              0.0.0.0:*                           30147/charon-system<br class="">udp        0      0 0.0.0.0:68              0.0.0.0:*                           1005/dhclient   <br class="">udp6       0      0 :::4500                 :::*                                30147/charon-system<br class="">udp6       0      0 :::500                  :::*                                30147/charon-system<br class="">udp6       0      0 :::53                   :::*                                29951/dnsmasq  <br class=""><br class=""><br class="">*$ swanctl --stats*<br class="">...<br class="">loaded plugins: charon-systemd charon-systemd aes openssl des rc2 <br class="">sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints <br class="">pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp <br class="">curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve <br class="">socket-default vici updown eap-identity eap-mschapv2 eap-dynamic <br class="">eap-tls xauth-generic *dhcp*<br class=""><br class="">*$ /etc/strongswan.d/charon/dhcp.conf * dhcp {<br class="">    force_server_address = yes<br class="">    load = yes<br class="">    server = 10.0.15.255<br class="">}<br class=""><br class="">*$  /etc/swanctl/conf.d/policy.conf* connections {<br class="">  clients {<br class="">     version = 2<br class="">     send_cert = always<br class="">     encap = yes<br class="">     unique = replace<br class="">     proposals = aes256-sha256-prfsha256-modp2048-modp1024<br class="">     pools = pool1<br class="">     local {<br class="">        id = vpnserver<br class="">        certs = vpnserver.crt<br class="">     }<br class="">     remote {<br class="">        auth = eap-mschapv2<br class="">        eap_id = %any<br class="">     }<br class="">     children {<br class="">        net {<br class="">           local_ts = 10.0.0.0/20<br class="">        }<br class="">     }<br class="">  }<br class="">}<br class="">pools {<br class="">   pool1 {<br class="">     addrs = 172.16.0.0/12<br class="">     subnet = 10.0.0.0/18<br class="">     dhcp = 10.0.5.202<br class="">   }<br class="">}<br class=""><br class="">The route I would expect to see on Windows 10 should simulate<br class=""><br class="">*route ADD 10.0.0.0 MASK 255.255.240.0 172.16.0.X*<br class=""><br class=""><br class="">*The connection log *<br class=""><br class="">May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: IKE_SA rsa[1] <br class="">established between <br class="">10.0.5.202[vpnserver1]...148.252.225.26[192.168.1.31]<br class="">May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: scheduling <br class="">rekeying in 13750s May  3 16:27:58 ip-10-0-5-202 <br class="">charon-systemd[30250]: maximum IKE_SA lifetime 15190s May  3 <br class="">16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual IP %any May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning new lease to 'christian.salway.naimuri.com <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>'<br class="">May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning virtual IP 172.16.0.1 to peer 'christian.salway.naimuri.com <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>'<br class="">May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested <br class="">virtual IP %any6 May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: no virtual IP found for %any6 requested by 'christian.salway.naimuri.com <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>'<br class="">May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: CHILD_SA net{1} <br class="">established with SPIs cac7b9af_i 02fc4cb2_o and TS 10.0.0.0/18 === <br class="">172.16.0.1/32 May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: <br class="">generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DHCP) SA TSi <br class="">TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]<br class=""><br class=""><br class="">[1] <br class="">https://secure-web.cisco.com/1SoYE_B8oPkYsHXCWLgk0vAhDMGerHeeyGnWSju<br class="">1ZBYAEuGwEt7dkOyCtxw_U-aLXmfzKLajEyinghQSbAqqArS_s29AErnnlZ-q1Jfgn4n<br class="">wq8SM3Bt2RAj_BhvKXfrW8GuHzZprojk9tKyTuEL-y1AjSjoNBhrXX5FAlrWmmSyge2u<br class="">ybEOiZUIhHM7RTGfDV4aQOeNDbARZZx2OMC28hgLxLlDIWxC8nGdetSb6Jd9Fh3E8aNg<br class="">vd7ZpGh7Vs3inJ/https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrong<br class="">swan%2Fwiki%2FWindows7#Split-routing-on-Windows-10-and-Windows-10-Mo<br class="">bile<br class=""></blockquote><br class=""></blockquote></blockquote><br class=""><br class=""></div></div></blockquote></div><br class=""></body></html>