[strongSwan] Strongswan causing IP error on local gratuitous ARP request

Francis sms at icefire.qza.net.au
Sun Dec 4 15:19:58 CET 2016

Hi folks,

This seems like an edge case. I've since resolved the issue, but putting 
it out here for anyone who might get caught in the future.

I have a strongswan instance on a local machine which is also acting as 
a router/dhcp server, using ISC dhcpd. All was well, until I added an ip 
phone which sends a gratuitous arp request right after it receives a 
dhcp lease. The phone then complains about duplicate ip and rejects the 

 From wireshark, I can see that this arp is checking for duplicate ip 
leases. The problem is, the interface on the strongswan box responds 
with the very same ip address as the lease which was just given to the 
phone, telling the phone that the ip address is already in use. This 
causes dhcpd to cycle through the leases indefinitely.

I have isolated the cause(?) down to strongswan. When strongswan is 
down, the phone gets a lease and there are no duplicate ip errors. Once 
the tunnel comes up however, the problem returns.

After many hours (days) of frustration and googling, I tracked the issue 
down to the strongswan farp plugin. This module is enabled by default in 
debian. It automatically responds to any arp request, claiming to have 
the ip address and defeating any device that checks if the ip is in use. 
Highly undesirable behavior on a dhcp server! Disabling the plugin is 
done in /etc/strongswan.d/charon/farp.conf. Set to no and restart 

Is it possible at all to tell farp which subnets to ignore, or is it 
hard coded to respond to everything?



More information about the Users mailing list