[strongSwan] road-warrior sends local DHCP requests through tunnel?

Tobias Brunner tobias at strongswan.org
Wed Jul 3 18:57:05 CEST 2013

Hi Daniel,

> I've configured a road warrior to use the rightsubnet= so that
> all web activity should go via the tunnel
> The road warrior is on a private LAN with a router/DHCP server.  It
> should be sending the DHCP renewal requests to the local router but I
> notice it sends them through the tunnel instead.
> Can anybody comment on this?  Is it a gateway fault or an issue with the
> road warrior?  Both systems are using StrongSwan on Debian

It's an issue on the client.  Its IPsec policy demands that all traffic
is sent through the tunnel, which includes unicast DHCP renewal
requests.  If you don't want to tunnel local traffic then install a
passthrough policy for your LAN.

Something like this:

	conn pass
		rightsubnet= (or whatever your subnet is)
		leftsubnet= (or your hosts address /32)

Since your road-warrior probably requests a virtual IP address you'll
need at least 5.0.3.  That's because the source route (with destination that is installed with the IPsec tunnel will otherwise force
the VIP as source address, rendering the passthrough policy useless as
packets generated on your client won't match anymore, even if destined
for your local subnet.  With 5.0.3 and newer a route is installed for
the passthrough policy, which overrides the VIP route.


More information about the Users mailing list