[strongSwan] Strongswan causing IP error on local gratuitous ARP request
sms at icefire.qza.net.au
Sun Dec 4 15:19:58 CET 2016
This seems like an edge case. I've since resolved the issue, but putting
it out here for anyone who might get caught in the future.
I have a strongswan instance on a local machine which is also acting as
a router/dhcp server, using ISC dhcpd. All was well, until I added an ip
phone which sends a gratuitous arp request right after it receives a
dhcp lease. The phone then complains about duplicate ip and rejects the
From wireshark, I can see that this arp is checking for duplicate ip
leases. The problem is, the interface on the strongswan box responds
with the very same ip address as the lease which was just given to the
phone, telling the phone that the ip address is already in use. This
causes dhcpd to cycle through the leases indefinitely.
I have isolated the cause(?) down to strongswan. When strongswan is
down, the phone gets a lease and there are no duplicate ip errors. Once
the tunnel comes up however, the problem returns.
After many hours (days) of frustration and googling, I tracked the issue
down to the strongswan farp plugin. This module is enabled by default in
debian. It automatically responds to any arp request, claiming to have
the ip address and defeating any device that checks if the ip is in use.
Highly undesirable behavior on a dhcp server! Disabling the plugin is
done in /etc/strongswan.d/charon/farp.conf. Set to no and restart
Is it possible at all to tell farp which subnets to ignore, or is it
hard coded to respond to everything?
More information about the Users