[strongSwan] question of returning unrequested DNS and DHCP server addresses in strongswan-5.0.0?

Martin Willi martin at strongswan.org
Wed Aug 22 09:08:06 CEST 2012


Hi Zhiheng,

> Since the configuration is done to the strongswan.conf, I am wondering
> if other clients, for example, Bob, will also receive these addresses.
> I guess this is the case, but what if Bob is not interested in
> receiving DNS and DHCP addresses and has not requested them in its
> IKEv2 messages, would this be considered an error of the server in
> which case the server is telling unwanted information to the client?

Attributes defined in strongswan.conf are global, these are assigned to
all clients requesting a virtual IP. Even if the client does not send
requests for these attributes, strongSwan sends them. This is valid in
IKEv2, as a responder may send attributes not requested by the
initiator.

For DNS servers, we have an extension in the pipeline for 5.0.1 which
allows you to define DNS servers on a connection basis. You may try the
last six patches from [1]. For DHCP, there won't be such an option,
though.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/dns-attr





More information about the Users mailing list