[strongSwan] Cannot assign IP address from DHCP

Noel Kuntze noel at familie-kuntze.de
Fri Oct 17 23:38:54 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

I see a couple of issues with how you set it all up:

1) You're using a script to configure the firewall. That's bad. Use iptables-save and iptables-restore instead.
     It's not only faster, but also validates the whole input before loading it into the kernel.
2) If you run the DHCP server on 192.168.1.1, why don't use you use 192.168.1.1 as server address in dhcp.conf?
3) You need to except outgoing IPsec traffic from NAT.
    NAT is applied before encapsulation, so your outgoing packet that is supposed to go into the tunnel doesn't match
    the policies and doesn't go into the tunnel, but out over the default route in plain text. You can do that using the "policy"
    match module in iptables. Add this to the filter part of your NAT rule: "-m policy --pol none --dir out"

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 16.10.2014 um 19:08 schrieb fratermajor at interia.pl:
> Hello
>
> I have a strongSwan gateway on computer with dynamic public IP. This computer act as router with DHCP and DNS server for my home LAN 192.168.1.0. I want to configure strongSwan to get IP address for clients from DHCP in the way they could join into my home LAN subnet. I configured strongSwan according to manual, however clients cannot obtain a lease from DHCP server. It seems that there is some kind of error in packets sends to DHCP or maybe firewall somehow "crushes" packets with masquerade.... I don't know. That's why I ask for your help.
>
> My configuration of ifaces:
> eth0 - public IP
> br0 - home LAN with eth2 Ethernet card and wlan0 WiFi
>
> SYSLOG
>
> [...] after successful authentication
> Oct 16 17:37:49 109241082098 charon: 08[IKE] peer requested virtual IP %any
> Oct 16 17:37:49 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
> Oct 16 17:37:50 109241082098 charon: 05[MGR] ignoring request with ID 5, already processing
> Oct 16 17:37:50 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
> Oct 16 17:37:51 109241082098 charon: 02[MGR] ignoring request with ID 5, already processing
> Oct 16 17:37:52 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
> Oct 16 17:37:54 109241082098 charon: 04[MGR] ignoring request with ID 5, already processing
> Oct 16 17:37:55 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
> Oct 16 17:37:58 109241082098 charon: 08[CFG] sending DHCP DISCOVER to 192.168.1.255
> Oct 16 17:37:58 109241082098 dhcpd: 5 bad udp checksums in 5 packets
> Oct 16 17:38:01 109241082098 charon: 15[MGR] ignoring request with ID 5, already processing
> Oct 16 17:38:03 109241082098 charon: 08[CFG] DHCP DISCOVER timed out
>
> ========
>
> DHCP LOG
>
> Oct 16 17:37:58 109241082098 dhcpd: 5 bad udp checksums in 5 packets
>
> ======
>
> IPSEC.CONF
>
> conn %default
>     keyexchange=ikev2
>     ike=aes256-sha1-modp1024!
>     esp=aes256-sha1!
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>
> conn win7
>     left=%any
>     leftsubnet=192.168.1.0/24
>     leftauth=pubkey
>     leftcert=vpnCert.pem
>     leftid=@MY_DYNAMIC_DNS_PUBLIC_IFACE
>     lefthostaccess=yes
>     leftfirewall=yes
>     right=%any
>     rightsourceip=%dhcp
>     rightauth=eap-mschapv2
>     rightsendcert=never   # see note
>     eap_identity=%any
>     auto=add
>
> ======
>
> STRONGSWAN.CONF
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>
>         }
>         dns1 = 192.168.1.1
> }
>
> ======
>
> FIREWALL SCRIPT
>
> iptables -F
> iptables -X
> iptables -F -t nat
> iptables -X -t nat
> iptables -F -t filter
> iptables -X -t filter
>
> iptables -P INPUT DROP
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i br0 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
>
> iptables -A INPUT -i eth0 -p udp --dport 500 --j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport 4500 --j ACCEPT
> iptables -A INPUT -i eth0 -p esp --j ACCEPT
>
> iptables -A INPUT -i eth0 -p udp -s 10.233.0.1 --sport 67 --dport 68 --j ACCEPT               # My ISP DHCP
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j LOG --log-prefix "ACK scan: "
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP # Metoda ACK (nmap -sA)
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j LOG --log-prefix "FIN scan: "
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP # Skanowanie FIN (nmap -sF)
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH PSH -j LOG --log-prefix "Xmas scan: "
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP # Metoda Xmas Tree (nmap -sX)
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG SYN,RST,ACK,FIN,PSH,URG -j LOG --log-prefix "Null scan: "
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG SYN,RST
> iptables -N syn-flood
> iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
> iptables -A syn-flood -i eth0 -m limit --limit 1/s --limit-burst 4 -j RETURN
> iptables -A syn-flood -i eth0 -m limit --limit 1/s --limit-burst 4 -j LOG --log-prefix "SYN-flood: "
> iptables -A syn-flood -i eth0 -j DROP
>
> iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG --log-prefix "Ping: "
> iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Ping of death
>
> iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
>
> iptables -A OUTPUT -p tcp --dport telnet -j REJECT
> iptables -A INPUT -i eth0 -p tcp --dport telnet -j REJECT
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -A FORWARD -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
>
> iptables -N LOGGING
> iptables -A INPUT -j LOGGING
> iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
> iptables -A LOGGING -j DROP
>
> ========
>
> DHCPD.CONF
>
> log-facility local7;
>
> ddns-updates on;
> ddns-update-style interim;
> update-static-leases on;
> authoritative;
> include "/etc/bind/rndc.key";
> allow unknown-clients;
> use-host-decl-names on;
> allow client-updates;
>
> zone home. {
>         primary 192.168.1.1;
>         key rndc-key;
> }
>
> zone 1.168.192.in-addr.arpa. {
>         primary 192.168.1.1;
>         key rndc-key;
> }
>
> subnet 192.168.1.0 netmask 255.255.255.0 {
>   range 192.168.1.2 192.168.1.254;
>   option subnet-mask 255.255.255.0;
>   option routers lan.home;
>   option broadcast-address 192.168.1.255;
>   option domain-name-servers lan.home;
>   option domain-name "home";
>   ddns-domainname "home.";
>   ddns-rev-domainname "in-addr.arpa.";
> }
>
> host lan.home {
>   fixed-address 192.168.1.1;
>   hardware ethernet 00:25:d3:f6:03:85;
> }
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUQYxuAAoJEDg5KY9j7GZYknYP/1AaKgHSWdDjB+wwvd+uWHYQ
zGfwpMGDreW1JRZIdm95mIt+u5ZiQJSYkVZoUIrhaDoOMHMF1NIqoGixC2NyAe7X
5jHclvpggHcV/1HcfAjZZ8slY3sW08GMm4MWbittNeEyF1RL1xqVxdGM/LmQ3bgW
cwnZi29quwNSiwzaVBUA6dp7QU5BzqYzwdwMPlsY8PqrrYwTqLt72QSiFwx3hu8K
9lDxJzt0TCbNIXCQYyYqfOpk2OxCOBohdrnMAz3tlVWIpuVIkXsQCSL36hUqYCob
aWxQCPiFuJY8TG0qnNOV/IK/dE+dDeSQzw1QbTCMc7D92hTXur5Wn+QgPVlmuL68
VGhM1DG+z+tFz2PttKFSyi/dW1Q9vFT1JbVE8qw4mZSXCH4rWtxVSLqe4e+mD82r
7Iu6RZFYgTnaNjAZinWhdTbAuN5u6i0w4LgF2TLVlU7ALhGTfXhtC4ArMW39ZmyW
a+kRQKBJOh+xvx0lOTTNa4TtcjUNqBhzwjdXx/lkjybmeWfwcuFFffWNjEf1MlSG
++UmRWJO1JKFlTip+TnZFnRxstKlro/oz7Il8MXXjXPMKMXAI5EdxkUD+AxHgkO8
b7cDA0cEivRhWMp+IZDA5fzbhnbN/sM/iM+dBMGBu+QfUuX8XWX90YyosRNYhfqS
RxKhh3bd5ukGlj2ttu1d
=5WND
-----END PGP SIGNATURE-----




More information about the Users mailing list