[strongSwan] auto=route makes local iOS DHCP fail
Noel Kuntze
noel at familie-kuntze.de
Sat Mar 7 15:39:00 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Zesen,
Your tunnel probably covers 10.0.0.0/8 == 0.0.0.0/0.
As DHCP uses the IP addresses 0.0.0.0 and 255.255.255.255, as well
as the IP address of your DHCP server at some stage.
Those IP addresses match the policy that covers your tunnel.
You need to create passthrough policies that cover the IP
addresses used in the dhcp exchange.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.03.2015 um 05:21 schrieb Zesen Qian:
> Hello list,
> I set auto=route in a site-to-site tunnel, to keep the tunnel alive,
> which makes an iOS in local net cannot get IP via DHCP.
> ipsec.conf: https://bpaste.net/show/218b4db1df8b
>
> 0.DHCP client on PC(dhclient) works fine.
> 1.I can close the tunnel temporarily to let iOS get IP, and then
> re-establish the tunnel, and everything works ok.
> 2.I can set auto=start, then everythng is ok. iOS can get IP even when
> the tunnel is up.
> 3.The version is 5.2.2, I was told by my friend suffered by the same
> issue that 5.2.1 works fine, though I 've not tried yet.
> 4.The DHCP server I use is dnsmasq, some logs on server when iOS trying
> to get IP:
> Mar 7 12:18:36 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f
> Mar 7 12:18:36 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f Riaqn-iPhone
> Mar 7 12:18:38 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDECLINE(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f
> Mar 7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
> Mar 7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
> Mar 7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
> Mar 7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
> Mar 7 12:18:52 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
> Mar 7 12:18:52 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f Riaqn-iPhone
> Mar 7 12:18:57 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDECLINE(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
> Mar 7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
> Mar 7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f
> Mar 7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
> Mar 7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f
> Mar 7 12:19:11 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f
> Mar 7 12:19:11 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f Riaqn-iPhone
>
> Any ideas?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJU+w2CAAoJEDg5KY9j7GZY47AQAJa0IAz507lR60N2ReuhAS+x
UHmKpzdC2iUzzu2B+BggHDsgMzMoLM0AoM0eFPwfuqdBDXwQrgx0a0W83DoxjePc
KVLUTgRYu8JwdndmO3N0lzw9CWL9fgDRESD9A6Qdt/VRoeIPKomiBtdroD+ZXAaF
ej6OFBBrC46fdZF6329Cj5wTd9lbwgwFxgrWAJv3P16NPRcwhaJ2IbfC8u5KxS21
tnqZRqEJVRgMwGuIT+qfEMd4rCOrsRNrn0JGiTt25Nra6Qf0W/SnnlK/WzKoBpHy
NW+IJ0aT30KyVdLipE++J7HZ51u25+h5PoVRRhROKwyv2p7XM/+lOKWWUanZSkc9
qtlnmIWoZ7Jb5mjkHxoDWHwavtROxXZmkzecpW1GfcBe03BKvqqtVtvUbpkf/E0O
U+C4+x5WYB9+5a4b8RKgo+o3hF9mMxxm67owMDr7aoVAki32Vr1zP37vvzHMwgmk
W3wA8eIUtDQPb39jpe4IL3M3CIfAGWu443JuWmhw9oM4EqaZoXOvlDiN46IF1dn/
eNejhMkmvHhvQ8VAyKCcI/zPkouzaDLf1WMRuh2/X0Vi2HJvchrxp3ns98d01KFo
+i2DWmnlujt/BYIjm0sWNZkxvVAXJO3aKkx/Zwiv5NhWyDMi0SSoBYivfq2jspUe
kS9/ZRUrrcf/OnVAw5L1
=zekk
-----END PGP SIGNATURE-----
More information about the Users
mailing list