[strongSwan] auto=route makes local iOS DHCP fail[solved]

Sat Mar 7 15:40:29 CET 2015

OK, I 've solved my problem, and it turns out to have nothing to do with
auto=route.

Per [1], there 're some dhcp clients(including client in iOS) so smart
that they don't believe dhcp server. When they receive responses from
server, instead of just using that IP, they would send an ARP query of
that IP, to make sure no one else is using that IP. If an ARP response
is received, which means someone else is already using that IP, the
client send a DHCPDECLINE to server(as is seen in the dnsmasq log).

And as is well known, strongswan has a farp plugin [2], which will reply to
ARP queries of virtual IP address handed to road-warrios with its own
MAC, to make road-warrior act as a client on the local net.

What 's strange is that I have no road-warrior at all, and the farp
plugins seems to reply to all arp requests. Anyway, disabling farp
plugin solved my problem.

[1]
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/network-registrar/18934-unavail-18934.html#message
[2] https://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin

Zesen Qian <strongswan-users at riaqn.com> writes:

> Hello list,
> I set auto=route in a site-to-site tunnel, to keep the tunnel alive,
> which makes an iOS in local net cannot get IP via DHCP.
> ipsec.conf: https://bpaste.net/show/218b4db1df8b
>
> 0.DHCP client on PC(dhclient) works fine.
> 1.I can close the tunnel temporarily to let iOS get IP, and then
> re-establish the tunnel, and everything works ok.
> 2.I can set auto=start, then everythng is ok. iOS can get IP even when
> the tunnel is up.
> 3.The version is 5.2.2, I was told by my friend suffered by the same
> issue that 5.2.1 works fine, though I 've not tried yet.
> 4.The DHCP server I use is dnsmasq, some logs on server when iOS trying
> to get IP:
> Mar  7 12:18:36 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f 
> Mar  7 12:18:36 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f Riaqn-iPhone
> Mar  7 12:18:38 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDECLINE(enp0s29f7u2u4) 10.0.0.168 1c:e6:2b:2f:b6:8f 
> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f 
> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f 
> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f 
> Mar  7 12:18:51 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f 
> Mar  7 12:18:52 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f 
> Mar  7 12:18:52 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f Riaqn-iPhone
> Mar  7 12:18:57 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDECLINE(enp0s29f7u2u4) 10.0.0.186 1c:e6:2b:2f:b6:8f 
> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f 
> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f 
> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPDISCOVER(enp0s29f7u2u4) 1c:e6:2b:2f:b6:8f 
> Mar  7 12:19:10 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPOFFER(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f 
> Mar  7 12:19:11 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPREQUEST(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f 
> Mar  7 12:19:11 Riaqn-Laptop dnsmasq-dhcp[10279]: DHCPACK(enp0s29f7u2u4) 10.0.0.187 1c:e6:2b:2f:b6:8f Riaqn-iPhone
>
> Any ideas?

-- 
Zesen Qian (钱泽森)