[strongSwan] road-warrior sends local DHCP requests through tunnel?
daniel at pocock.com.au
Thu Jul 4 13:50:03 CEST 2013
On 03/07/13 18:57, Tobias Brunner wrote:
> Hi Daniel,
>> I've configured a road warrior to use the rightsubnet=0.0.0.0/0 so that
>> all web activity should go via the tunnel
>> The road warrior is on a private LAN with a router/DHCP server. It
>> should be sending the DHCP renewal requests to the local router but I
>> notice it sends them through the tunnel instead.
>> Can anybody comment on this? Is it a gateway fault or an issue with the
>> road warrior? Both systems are using StrongSwan on Debian
> It's an issue on the client. Its IPsec policy demands that all traffic
> is sent through the tunnel, which includes unicast DHCP renewal
> requests. If you don't want to tunnel local traffic then install a
> passthrough policy for your LAN.
> Something like this:
> conn pass
> rightsubnet=192.168.0.0/24 (or whatever your subnet is)
> leftsubnet=192.168.0.0/24 (or your hosts address /32)
> Since your road-warrior probably requests a virtual IP address you'll
> need at least 5.0.3. That's because the source route (with destination
> 0.0.0.0/0) that is installed with the IPsec tunnel will otherwise force
> the VIP as source address, rendering the passthrough policy useless as
> packets generated on your client won't match anymore, even if destined
> for your local subnet. With 5.0.3 and newer a route is installed for
> the passthrough policy, which overrides the VIP route.
The typical use case is road warrior and the strongSwan Android client.
Does the Android client support this passthrough mode?
I can imagine it would be awkward for road warrior users who operate on
different subnets at different times, as it may not be practical to
pre-configure passthrough connections for all of them.
Is it possible to dynamically set up passthrough without hardcoding any
addresses? If I understand correctly, policy based routing can interact
with netfilter to very selectively choose packets (such as DHCP renewal)
for a passthrough route to the local subnet and it is just a matter of
integrating that with strongSwan.
More information about the Users