[strongSwan] Cannot assign IP address from DHCP

fratermajor at interia.pl fratermajor at interia.pl
Wed Oct 22 13:53:18 CEST 2014 

Hello,

after hours of digging I managed to run DHCP assigning. I have successfully test it in the LAN environment. I will send confirmation when I will have possibility to test it somewhere outside my house. Maybe this post will help someone in the similar problem.

The problem was in bad DHCP DISCOVER packet cheksum.
Look at the tcpdump log:

tcpdump -n dst portrange 67-68 -i any -vvvv


13:14:32.669231 IP (tos 0x0, ttl 64, id 3674, offset 0, flags [DF], proto UDP (17), length 328)
    192.168.1.1.68 > 192.168.1.255.67: [bad udp cksum 0x8596 -> 0x608a!] BOOTP/DHCP, Request from 7a:a7:3d:09:66:2d, length 300, xid 0x3d09662d, Flags [none] (0x0000)
          Gateway-IP 192.168.1.1
          Client-Ethernet-Address 7a:a7:3d:09:66:2d
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Hostname Option 12, length 5: "artur"
            Client-ID Option 61, length 5: hardware-type 97, 72:74:75:72
            Parameter-Request Option 55, length 2:
              Domain-Name-Server, Netbios-Name-Server
            END Option 255, length 0
            PAD Option 0, length 0, occurs 38


Of course this packet, when coming to DHCP server, generates only sometimes log message about bad cheksum.
Then I found at google that wrong packet cheksum is a very often problem in virtual interfaces and tunneling. I added this rule to firewall script:

iptables -t mangle -A POSTROUTING -o br0 -p udp -m udp --dport 67 -j CHECKSUM --checksum-fill

and after restarting firewall I’ve got DHCP OFFER response from my DHCP server

13:21:18.883035 IP (tos 0x0, ttl 64, id 3656, offset 0, flags [DF], proto UDP (17), length 328)
    192.168.1.1.68 > 192.168.1.255.67: [udp sum ok] BOOTP/DHCP, Request from 7a:a7:d4:87:9e:97, length 300, xid 0xd4879e97, Flags [none] (0x0000)
          Gateway-IP 192.168.1.1
          Client-Ethernet-Address 7a:a7:d4:87:9e:97
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Hostname Option 12, length 5: "artur"
            Client-ID Option 61, length 5: hardware-type 97, 72:74:75:72
            Parameter-Request Option 55, length 2:
              Domain-Name-Server, Netbios-Name-Server
            END Option 255, length 0
            PAD Option 0, length 0, occurs 38
13:21:18.883830 IP (tos 0x0, ttl 64, id 56887, offset 0, flags [DF], proto UDP (17), length 328)
    MY_PUBLIC_IP > 192.168.1.1.67: [bad udp cksum 0xedf9 -> 0x0f8d!] BOOTP/DHCP, Reply, length 300, xid 0xd4879e97, Flags [none] (0x0000)
          Your-IP 192.168.1.4
          Gateway-IP 192.168.1.1
          Client-Ethernet-Address 7a:a7:d4:87:9e:97
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Offer
            Server-ID Option 54, length 4: 192.168.1.1
            Lease-Time Option 51, length 4: 43200
            Domain-Name-Server Option 6, length 4: 192.168.1.1
            Subnet-Mask Option 1, length 4: 255.255.255.0
            END Option 255, length 0
            PAD Option 0, length 0, occurs 32


I had to make additional configuration according to manual to make everything work. Very important thing is to set "server" in dhcp charon plugin to broadcast of the subnet rather that server itself. When it was pointing at DHCP server address, the DHCP REQUEST packet wasn't able to reach server. Now my settings are:

#### /etc/init.d/firewall


#!/bin/bash
 
  ### BEGIN INIT INFO
# Provides:          firewall.sh
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO
 
 
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
iptables -F -t mangle
iptables -X -t mangle


iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -i eth0 -p udp --dport 500 --j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 --j ACCEPT
iptables -A INPUT -i eth0 -p 50 --j ACCEPT


iptables -A INPUT -i eth0 -p udp -s 10.233.0.1 --sport 67 --dport 68 --j ACCEPT               # My ISP DHCP


iptables -t mangle -A POSTROUTING -o br0 -p udp -m udp --dport 67 -j CHECKSUM --checksum-fill
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE


iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP


#### /etc/ipsec.conf


conn %default
    auto=add
    left=%any
    lefthostaccess=yes
    leftsubnet=0.0.0.0/0
    right=%any
    rightsourceip=%dhcp
    leftfirewall=yes
    forceencaps=yes
    compress=yes
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    rekey=no


conn win7
    leftid=@MY_DNS_NAME_THE_SAME_AS_IN_CERT
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=300s
    leftauth=pubkey
    leftcert=vpnCert.pem
    rightauth=eap-mschapv2
    rightsendcert=never   # see note
    eap_identity=%any


include /var/lib/strongswan/ipsec.conf.inc


#### /etc/strongswan.conf


# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files


charon {
 load_modular = yes
 plugins {
  include strongswan.d/charon/*.conf


 }
}


include strongswan.d/*.conf


#### /etc/strongswan.d/charon/dhcp.conf


dhcp {


    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes
    force_server_address = yes
    server = 192.168.1.255
}


#### /etc/dhcp/dhcpd.conf


log-facility local7;


ddns-updates on;
ddns-update-style interim;
update-static-leases on;
include "/etc/bind/rndc.key";
allow unknown-clients;
use-host-decl-names on;
allow client-updates;


zone home. {
 primary 192.168.1.1;
 key rndc-key;
}


zone 1.168.192.in-addr.arpa. {
 primary 192.168.1.1;
 key rndc-key;
}
 
subnet 192.168.1.0 netmask 255.255.255.0 {
  authoritative;
  range 192.168.1.2 192.168.1.254;
  option subnet-mask 255.255.255.0;
  option routers lan.home;
  option broadcast-address 192.168.1.255;
  option domain-name-servers lan.home;
  option domain-name "home";
  ddns-domainname "home.";
  ddns-rev-domainname "in-addr.arpa.";
}


host lan.home {
   fixed-address 192.168.1.1;
   hardware ethernet 00:25:d3:f6:03:85;
}

More information about the Users mailing list