[strongSwan] Can't assign DHCP address with DHCPd

Igor Filakhtov filakhtov at gmail.com
Tue Jan 6 14:26:34 CET 2015 

Hi everyone,

I need an assistance on setup IKEv2 tunnel between network and roadwarriors.

VPN server is behind NAT and has two network interfaces:
lan = for local network (192.168.180.10)
wan = for the internet (192.168.123.151) <--NAT (via 192.168.123.1)--> Internet

I'm unable to assign addresses to clients:

Jan 06 14:01:24 ho charon[18339]: 07[IKE] <ho.mapro-gmbh.com|1> peer
requested virtual IP %any
Jan 06 14:01:24 ho charon[18339]: 07[CFG] <ho.mapro-gmbh.com|1>
sending DHCP DISCOVER to 255.255.255.255
Jan 06 14:01:24 ho dhcpd[15932]: DHCPDISCOVER from 7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:25 ho charon[18339]: 08[MGR] ignoring request with ID 1,
already processing
Jan 06 14:01:25 ho charon[18339]: 07[CFG] <ho.mapro-gmbh.com|1>
sending DHCP DISCOVER to 255.255.255.255
Jan 06 14:01:25 ho dhcpd[15932]: DHCPOFFER on 192.168.180.104 to
7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:27 ho charon[18339]: 07[CFG] <ho.mapro-gmbh.com|1>
sending DHCP DISCOVER to 255.255.255.255
Jan 06 14:01:27 ho dhcpd[15932]: DHCPDISCOVER from 7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:27 ho dhcpd[15932]: DHCPOFFER on 192.168.180.104 to
7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:27 ho charon[18339]: 09[MGR] ignoring request with ID 1,
already processing
Jan 06 14:01:30 ho charon[18339]: 07[CFG] <ho.mapro-gmbh.com|1>
sending DHCP DISCOVER to 255.255.255.255
Jan 06 14:01:30 ho dhcpd[15932]: DHCPDISCOVER from 7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:30 ho dhcpd[15932]: DHCPOFFER on 192.168.180.104 to
7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:34 ho charon[18339]: 07[CFG] <ho.mapro-gmbh.com|1>
sending DHCP DISCOVER to 255.255.255.255
Jan 06 14:01:34 ho dhcpd[15932]: DHCPDISCOVER from 7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:34 ho dhcpd[15932]: DHCPOFFER on 192.168.180.104 to
7a:a7:f8:aa:e8:2f via lan
Jan 06 14:01:39 ho charon[18339]: 07[CFG] <ho.mapro-gmbh.com|1> DHCP
DISCOVER timed out


/etc/strongswan.d/dhcp.conf
charon {
  plugins {
    dhcp {
      interface = lan
    }
  }
}

/etc/ipsec.conf
config setup
  strictcrlpolicy = yes
  uniqueids = yes

conn %default
  authby = pubkey
  compress = yes
  dpdaction = clear
  dpddelay = 30s
  dpdtimeout = 90s
  inactivity = 120s
  forceencaps = yes
  ikelifetime = 1h
  keyexchange = ikev2
  keyingtries = 3
  mobike = yes
  reauth = yes
  rekey = yes
  type = tunnel
  left = 192.168.123.151 # NATed IP
  leftid = @lefid
  leftcert = server.crt
  leftfirewall = yes
  leftsubnet = 192.168.180.0/24
  right = %any
  rightsourceip = %dhcp
  rightca = %same

conn test1
  auto = add

Any ideas on what could be wrong?
Thanks in advance.
--
Best regards,
Garry Filakhtov

More information about the Users mailing list