[strongSwan] dhcp plugin: mac address unpredictable?

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 19 17:31:52 CET 2014

Hi Harri,

the MAC address does not change if the new certificate
has the same subjectDistinguishedName or subjectAlternativeName
chosen as the IKEv2 ID.

As an alternative you could explicitly register the client IKEv2 ID
as a dhcp-client-identifier attribute with your DHCP server
as in the following example scenario:


Best regards


On 03/19/2014 01:53 PM, Harald Dunkel wrote:
> Hi folks,
> I have to restrict the IP address pool of my DHCP server to
> known MAC addresses only. In this context I have 2 questions
> about the dhcp plugin (using identity_lease = yes):
> Wiki says, the mac address is derived from the "IKEv2 identity".
> Does this mean the mac address changes, if I renew the client's
> certificate?
> It is pretty difficult to find the right MAC address in the log
> file of the DHCP server, and charon doesn't tell, either. (Maybe
> I am too blind to see?) Would it be possible to hardwire the mac
> address in the certificate?
> Every helpful response is highly appreciated
> Harri

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140319/d64edfac/attachment.bin>

More information about the Users mailing list