[strongSwan-dev] 5.6.3 regression: dhcp integration appears to be broken
Harald Dunkel
harald.dunkel at aixigo.de
Tue Jun 5 15:25:37 CEST 2018
Hi folks,
since 5.6.3 the dhcp integration seems to be broken. The logfile shows
:
Jun 5 14:44:04 28[IKE] <IPSec-IKEv2|1> peer requested virtual IP %any
Jun 5 14:44:04 28[IKE] <IPSec-IKEv2|1> no virtual IP found for %any requested by 'ppcm018.ws.example.com'
:
For 5.6.2 I had
:
Jun 5 14:37:45 25[IKE] <IPSec-IKEv2|1> peer requested virtual IP %any
Jun 5 14:37:45 25[CFG] <IPSec-IKEv2|1> sending DHCP DISCOVER to 172.19.122.9
Jun 5 14:37:46 25[CFG] <IPSec-IKEv2|1> sending DHCP DISCOVER to 172.19.122.9
Jun 5 14:37:48 25[CFG] <IPSec-IKEv2|1> sending DHCP DISCOVER to 172.19.122.9
Jun 5 14:37:48 30[CFG] received DHCP OFFER 172.19.122.26 from 127.0.0.1
:
Please note that 5.6.3 didn't even try to send dhcp discover messages.
After moving back to version 5.6.2 the problem is gone again.
/etc/strongswan.d/charon/dhcp.conf:
dhcp {
force_server_address = yes
identity_lease = yes
load = yes
server = 172.19.122.9
}
Adding "interface = eth1" did not help.
ipsec.conf is attached. Every helpful comment is highly appreciated.
Harri
-------------- next part --------------
config setup
# check https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
conn %default
left = hippogate.example.com
fragmentation = yes
leftsubnet = 172.19.96.0/19
leftfirewall = no
ikelifetime = 1d
lifetime = 8h
rekey = yes
dpdaction = none # default: no dead peer detection
dpddelay = 30s # default: 30s
dpdtimeout = 150s # default: 150s, used for IKEv1 only
conn roadwarrior
leftcert = hippogate.example.com.cert.pem
leftsendcert = always
dpdaction = clear
dpddelay = 90s
dpdtimeout = 300s
conn IPSec-IKEv2
keyexchange = ikev2
also = roadwarrior
ike = aes256-sha256-modp2048,aes256-sha256-modp1536!
esp = aes256-sha256-modp2048,aes256-sha256-modp1536!
right = %any
rightca = "C=DE, ST=NRW, O=example AG, OU=IT, CN=my-ca"
rightauth = pubkey
rightsendcert = ifasked
rightsourceip = %dhcp
auto = add
include /var/lib/strongswan/ipsec.conf.inc
More information about the Dev
mailing list