[strongSwan] DHCP over IPsec

Andreas Steffen andreas.steffen at strongswan.org
Mon May 23 21:09:32 CEST 2011

Hi Mark,

strongSwan as a client does not support DHCP-over-IPsec as defined
by RFC 3456, although we introduced the left|rightprotoport
configuration option about 10 years ago to allow the setup of
short-lived DHCP SAs for  restricted to the bootps port on
a strongSwan gateway, successfully interoperating with the SSH
Sentinel client which at that time implemented RFC 3456. Later
on everyone abandoned DHCP-over-IPsec in favour of the IKEv2
configuration payload.

If you prefer a DHCP server to assign a virtual IP address to
your strongSwan client, we recommend to switch to IKEv2 and activate
the dhcp and farp plugins on a strongSwan gateway which will then act
as a DHCP proxy server. Have a look at the following example scenarios:




Best regards


On 05/23/2011 08:05 PM, Mark.Marwil at gdc4s.com wrote:
> All,
> I would like to find out if the strongswan client on a roadwarrior
> supports obtaining a virtual ip address through dhcp over ipsec as
> defined by RFC 3456. 
> I would like to set up the configuration described at
> http://www.strongswan.org/uml/testresults/ikev1/mode-config/index.html
> But instead of carol using %modeconfig to get a leftsourceip, she gets
> it through dhcp.  Is this possible though a custom _updown script?
> Thank you,
> Mark Marwil

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list