[strongSwan] Support of forwarding of client DHCP requests in strongswan?

Peter Bieringer pb at bieringer.de
Mon Jun 6 07:41:13 CEST 2016

Hi Michael,

IPv4 address is already passed to WP10 by strongswan and accepted
withouth external DHCP.

The problem is that WP10 (and I would assume also other Windows System)
is starting afterwards on the new link "DCHP Inform" to get additional
information, and this can't be served by strongswan so far as I can see
and therefore need to be catched and forwarded to a sophisticated DHCP

And in my scenario (Split Tunneling = false) I want to feed new routes
into WP10 via DCHP response to "Classless-Static-Route-Microsoft".


Am 05.06.2016 um 21:56 schrieb Michael Schwartzkopff:
> Am Sonntag, 5. Juni 2016, 19:41:30 schrieb Peter Bieringer:
>> Hi,
>> after some hours of playing around and digging through Google I need now
>> support...
>> Initial problem: Windows Phone 10 VPN client where "Split Tunneling =
>> false" can't be set (unlike Windows 10 where Powershell command will help)
>> Probable solution: distribute routes to WP 10 via DHCP reply by
>> responding with proper routes to the received DHCP inform message:
>> Received on ipsec0 interface (tcpdump):
>> > BOOTP/DHCP, Request,
>> length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]
>> 	  Client-IP
>> 	  Vendor-rfc1048 Extensions
>> 	    Magic Cookie 0x63825363
>> 	    DHCP-Message Option 53, length 1: Inform
>> 	    Client-ID Option 61, length 17: "***"
>> 	    Hostname Option 12, length 13: "Windows-Phone"
>> 	    Vendor-Class Option 60, length 8: "MSFT 5.0"
>> 	    Parameter-Request Option 55, length 6:
>> 	      Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask
>> 	      Classless-Static-Route-Microsoft, Domain-Name
>> But I get now stucked, I haven't found any solution so far to feed this
>> DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq
>> listening on a tap interface with iptables NAT PREROUTING hints).
>> dhcrelay also won't work, interface ipsec0 is not liked by any dhcp
>> server...
>> Has anyone a working example for strongswan how to feed DHCP client
>> messages received after IPsec is established to a DCHP server and
>> respond proper with additional information?
>> e.g. something like a broadcast forwarding/snooper based on layer 2.
>> BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of
>> interfaces is not an option, only tun/tap interfaces are available.
> As far as I understand, IKE2 should be possible to hand out it own IP 
> adresses. 
> See:
> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
> https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin
> Is this an otion in your setup? Or do the IP addresses really have to be 
> passed on to the central DHCP server?
> Mit freundlichen Grüßen,
> Michael Schwartzkopff
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Dr. Peter Bieringer               mailto:pb at bieringer.de
Heideckstr. 27                    phone: +49-89-36109687
D-80637 Muenchen                  fax: +49-89-36109689
Germany                           mobile: +49-174-9015046

More information about the Users mailing list