[strongSwan] Support of forwarding of client DHCP requests in strongswan?

Peter Bieringer pb at bieringer.de
Sun Jun 5 19:41:30 CEST 2016


after some hours of playing around and digging through Google I need now

Initial problem: Windows Phone 10 VPN client where "Split Tunneling =
false" can't be set (unlike Windows 10 where Powershell command will help)

Probable solution: distribute routes to WP 10 via DHCP reply by
responding with proper routes to the received DHCP inform message:

Received on ipsec0 interface (tcpdump): > BOOTP/DHCP, Request,
length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Inform
	    Client-ID Option 61, length 17: "***"
	    Hostname Option 12, length 13: "Windows-Phone"
	    Vendor-Class Option 60, length 8: "MSFT 5.0"
	    Parameter-Request Option 55, length 6:
	      Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask
	      Classless-Static-Route-Microsoft, Domain-Name

But I get now stucked, I haven't found any solution so far to feed this
DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq
listening on a tap interface with iptables NAT PREROUTING hints).
dhcrelay also won't work, interface ipsec0 is not liked by any dhcp

Has anyone a working example for strongswan how to feed DHCP client
messages received after IPsec is established to a DCHP server and
respond proper with additional information?

e.g. something like a broadcast forwarding/snooper based on layer 2.

BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of
interfaces is not an option, only tun/tap interfaces are available.

Thank you very much!


More information about the Users mailing list