[strongSwan] Cannot assign IP address from DHCP
fratermajor at interia.pl
fratermajor at interia.pl
Thu Oct 16 19:08:15 CEST 2014
Hello
I have a strongSwan gateway on computer with dynamic public IP. This computer act as router with DHCP and DNS server for my home LAN 192.168.1.0. I want to configure strongSwan to get IP address for clients from DHCP in the way they could join into my home LAN subnet. I configured strongSwan according to manual, however clients cannot obtain a lease from DHCP server. It seems that there is some kind of error in packets sends to DHCP or maybe firewall somehow "crushes" packets with masquerade.... I don't know. That's why I ask for your help.
My configuration of ifaces:
eth0 - public IP
br0 - home LAN with eth2 Ethernet card and wlan0 WiFi
SYSLOG
[...] after successful authentication
Oct 16 17:37:49 109241082098 charon: 08[IKE] peer requested virtual IP %any
Oct 16 17:37:49 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
Oct 16 17:37:50 109241082098 charon: 05[MGR] ignoring request with ID 5, already processing
Oct 16 17:37:50 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
Oct 16 17:37:51 109241082098 charon: 02[MGR] ignoring request with ID 5, already processing
Oct 16 17:37:52 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
Oct 16 17:37:54 109241082098 charon: 04[MGR] ignoring request with ID 5, already processing
Oct 16 17:37:55 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
Oct 16 17:37:58 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
Oct 16 17:37:58 109241082098 dhcpd: 5 bad udp checksums in 5 packets
Oct 16 17:38:01 109241082098 charon: 15[MGR] ignoring request with ID 5, already processing
Oct 16 17:38:03 109241082098 charon: 08[CFG] DHCP DISCOVER timed out
========
DHCP LOG
Oct 16 17:37:58 109241082098 dhcpd: 5 bad udp checksums in 5 packets
======
IPSEC.CONF
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
conn win7
left=%any
leftsubnet=192.168.1.0/24
leftauth=pubkey
leftcert=vpnCert.pem
leftid=@MY_DYNAMIC_DNS_PUBLIC_IFACE
lefthostaccess=yes
leftfirewall=yes
right=%any
rightsourceip=%dhcp
rightauth=eap-mschapv2
rightsendcert=never # see note
eap_identity=%any
auto=add
======
STRONGSWAN.CONF
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 192.168.1.1
}
======
FIREWALL SCRIPT
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
iptables -A INPUT -i eth0 -p udp --dport 500 --j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 --j ACCEPT
iptables -A INPUT -i eth0 -p esp --j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 10.233.0.1 --sport 67 --dport 68 --j ACCEPT # My ISP DHCP
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j LOG --log-prefix "ACK scan: "
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP # Metoda ACK (nmap -sA)
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j LOG --log-prefix "FIN scan: "
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP # Skanowanie FIN (nmap -sF)
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH PSH -j LOG --log-prefix "Xmas scan: "
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP # Metoda Xmas Tree (nmap -sX)
iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG SYN,RST,ACK,FIN,PSH,URG -j LOG --log-prefix "Null scan: "
iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG SYN,RST
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -i eth0 -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -i eth0 -m limit --limit 1/s --limit-burst 4 -j LOG --log-prefix "SYN-flood: "
iptables -A syn-flood -i eth0 -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG --log-prefix "Ping: "
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Ping of death
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
iptables -A OUTPUT -p tcp --dport telnet -j REJECT
iptables -A INPUT -i eth0 -p tcp --dport telnet -j REJECT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
========
DHCPD.CONF
log-facility local7;
ddns-updates on;
ddns-update-style interim;
update-static-leases on;
authoritative;
include "/etc/bind/rndc.key";
allow unknown-clients;
use-host-decl-names on;
allow client-updates;
zone home. {
primary 192.168.1.1;
key rndc-key;
}
zone 1.168.192.in-addr.arpa. {
primary 192.168.1.1;
key rndc-key;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.254;
option subnet-mask 255.255.255.0;
option routers lan.home;
option broadcast-address 192.168.1.255;
option domain-name-servers lan.home;
option domain-name "home";
ddns-domainname "home.";
ddns-rev-domainname "in-addr.arpa.";
}
host lan.home {
fixed-address 192.168.1.1;
hardware ethernet 00:25:d3:f6:03:85;
}
More information about the Users
mailing list