[strongSwan] road-warrior sends local DHCP requests through tunnel?

Daniel Pocock daniel at pocock.com.au
Thu Jul 4 13:50:03 CEST 2013 

On 03/07/13 18:57, Tobias Brunner wrote:
> Hi Daniel,
>
>> I've configured a road warrior to use the rightsubnet=0.0.0.0/0 so that
>> all web activity should go via the tunnel
>>
>> The road warrior is on a private LAN with a router/DHCP server.  It
>> should be sending the DHCP renewal requests to the local router but I
>> notice it sends them through the tunnel instead.
>>
>> Can anybody comment on this?  Is it a gateway fault or an issue with the
>> road warrior?  Both systems are using StrongSwan on Debian
> It's an issue on the client.  Its IPsec policy demands that all traffic
> is sent through the tunnel, which includes unicast DHCP renewal
> requests.  If you don't want to tunnel local traffic then install a
> passthrough policy for your LAN.
>
> Something like this:
>
> 	conn pass
> 		rightsubnet=192.168.0.0/24 (or whatever your subnet is)
> 		leftsubnet=192.168.0.0/24 (or your hosts address /32)
> 		type=passthrough
> 		auto=route
>
> Since your road-warrior probably requests a virtual IP address you'll
> need at least 5.0.3.  That's because the source route (with destination
> 0.0.0.0/0) that is installed with the IPsec tunnel will otherwise force
> the VIP as source address, rendering the passthrough policy useless as
> packets generated on your client won't match anymore, even if destined
> for your local subnet.  With 5.0.3 and newer a route is installed for
> the passthrough policy, which overrides the VIP route.
The typical use case is road warrior and the strongSwan Android client.
Does the Android client support this passthrough mode?

I can imagine it would be awkward for road warrior users who operate on
different subnets at different times, as it may not be practical to
pre-configure passthrough connections for all of them.

Is it possible to dynamically set up passthrough without hardcoding any
addresses?  If I understand correctly, policy based routing can interact
with netfilter to very selectively choose packets (such as DHCP renewal)
for a passthrough route to the local subnet and it is just a matter of
integrating that with strongSwan.

More information about the Users mailing list