[strongSwan] Support of forwarding of client DHCP requests in strongswan?

Michael Schwartzkopff ms at sys4.de
Sun Jun 5 21:56:10 CEST 2016 

Am Sonntag, 5. Juni 2016, 19:41:30 schrieb Peter Bieringer:
> Hi,
> 
> after some hours of playing around and digging through Google I need now
> support...
> 
> Initial problem: Windows Phone 10 VPN client where "Split Tunneling =
> false" can't be set (unlike Windows 10 where Powershell command will help)
> 
> Probable solution: distribute routes to WP 10 via DHCP reply by
> responding with proper routes to the received DHCP inform message:
> 
> Received on ipsec0 interface (tcpdump):
> 
>     172.16.1.1.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request,
> length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]
> 	  Client-IP 172.16.1.1
> 	  Vendor-rfc1048 Extensions
> 	    Magic Cookie 0x63825363
> 	    DHCP-Message Option 53, length 1: Inform
> 	    Client-ID Option 61, length 17: "***"
> 	    Hostname Option 12, length 13: "Windows-Phone"
> 	    Vendor-Class Option 60, length 8: "MSFT 5.0"
> 	    Parameter-Request Option 55, length 6:
> 	      Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask
> 	      Classless-Static-Route-Microsoft, Domain-Name
> 
> 
> But I get now stucked, I haven't found any solution so far to feed this
> DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq
> listening on a tap interface with iptables NAT PREROUTING hints).
> dhcrelay also won't work, interface ipsec0 is not liked by any dhcp
> server...
> 
> Has anyone a working example for strongswan how to feed DHCP client
> messages received after IPsec is established to a DCHP server and
> respond proper with additional information?
> 
> e.g. something like a broadcast forwarding/snooper based on layer 2.
> 
> BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of
> interfaces is not an option, only tun/tap interfaces are available.

As far as I understand, IKE2 should be possible to hand out it own IP 
adresses. 

See:
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin

Is this an otion in your setup? Or do the IP addresses really have to be 
passed on to the central DHCP server?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160605/9de28a3e/attachment.sig>

More information about the Users mailing list