[strongSwan] auto=route makes local iOS DHCP fail[solved]

Zesen Qian strongswan-users at riaqn.com
Sat Mar 7 16:06:24 CET 2015


Hello Noel,
OK, I 've solved my problem, and it turns out to have nothing to do with
auto=route.

Per [1], there 're some dhcp clients(including client in iOS) so smart
that they don't believe dhcp server. When they receive responses from
server, instead of just using that IP, they would send an ARP query of
that IP, to make sure no one else is using that IP. If an ARP response
is received, which means someone else is already using that IP, the
client send a DHCPDECLINE to server(as is seen in the dnsmasq log).

And as is well known, strongswan has a farp plugin [2], which will reply to
ARP queries of virtual IP address handed to road-warrios with its own
MAC, to make road-warrior act as a client on the local net.

What 's strange is that I have no road-warrior at all, and the farp
plugins seems to reply to all arp requests. Do you think the behaviour
related to tunnel range stuff?
As you said, dest of dhcp packets are 255.255.255.255 or the dhcp server.
The later should not be a problem since I have 10.0.0.0/24 ===
10.0.0.0/24, and the server is 10.0.0.1. 
As to the former, is broadcast also considered in the tunnel? I googled
a little and it seems to be NO.(I 'm not sure)

Anyway, disabling farp plugin solved my problem.

[1]
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/network-registrar/18934-unavail-18934.html#message
[2] https://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin

Noel Kuntze <noel at familie-kuntze.de> writes:

> Hello Zesen,
>
> Your tunnel probably covers 10.0.0.0/8 == 0.0.0.0/0.
> As DHCP uses the IP addresses 0.0.0.0 and 255.255.255.255, as well
> as the IP address of your DHCP server at some stage.
> Those IP addresses match the policy that covers your tunnel.
> You need to create  passthrough policies that cover the IP
> addresses used in the dhcp exchange.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 07.03.2015 um 05:21 schrieb Zesen Qian:
>> Hello list,
>> I set auto=route in a site-to-site tunnel, to keep the tunnel alive,
>> which makes an iOS in local net cannot get IP via DHCP.
>> ipsec.conf: https://bpaste.net/show/218b4db1df8b
>>
>> 0.DHCP client on PC(dhclient) works fine.
>> 1.I can close the tunnel temporarily to let iOS get IP, and then
>> re-establish the tunnel, and everything works ok.
>> 2.I can set auto=start, then everythng is ok. iOS can get IP even when
>> the tunnel is up.
>> 3.The version is 5.2.2, I was told by my friend suffered by the same
>> issue that 5.2.1 works fine, though I 've not tried yet.
>> 4.The DHCP server I use is dnsmasq, some logs on server when iOS trying
>> to get IP:
>> Mar  7 12:18:36 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f
>> Mar  7 12:18:36 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f Riaqn-iPhone
>> Mar  7 12:18:38 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDECLINE(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f
>> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
>> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
>> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
>> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
>> Mar  7 12:18:52 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
>> Mar  7 12:18:52 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f Riaqn-iPhone
>> Mar  7 12:18:57 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDECLINE(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f
>> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
>> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f
>> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f
>> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f
>> Mar  7 12:19:11 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f
>> Mar  7 12:19:11 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f Riaqn-iPhone
>>
>> Any ideas?
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
Zesen Qian (钱泽森)


More information about the Users mailing list