[strongSwan] Support of forwarding of client DHCP requests in strongswan?

Peter Bieringer pb at bieringer.de
Mon Jun 6 07:41:13 CEST 2016 

Hi Michael,

IPv4 address is already passed to WP10 by strongswan and accepted
withouth external DHCP.

The problem is that WP10 (and I would assume also other Windows System)
is starting afterwards on the new link "DCHP Inform" to get additional
information, and this can't be served by strongswan so far as I can see
and therefore need to be catched and forwarded to a sophisticated DHCP
server.

And in my scenario (Split Tunneling = false) I want to feed new routes
into WP10 via DCHP response to "Classless-Static-Route-Microsoft".

Regards,
	Peter

Am 05.06.2016 um 21:56 schrieb Michael Schwartzkopff:
> Am Sonntag, 5. Juni 2016, 19:41:30 schrieb Peter Bieringer:
>> Hi,
>>
>> after some hours of playing around and digging through Google I need now
>> support...
>>
>> Initial problem: Windows Phone 10 VPN client where "Split Tunneling =
>> false" can't be set (unlike Windows 10 where Powershell command will help)
>>
>> Probable solution: distribute routes to WP 10 via DHCP reply by
>> responding with proper routes to the received DHCP inform message:
>>
>> Received on ipsec0 interface (tcpdump):
>>
>>     172.16.1.1.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request,
>> length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]
>> 	  Client-IP 172.16.1.1
>> 	  Vendor-rfc1048 Extensions
>> 	    Magic Cookie 0x63825363
>> 	    DHCP-Message Option 53, length 1: Inform
>> 	    Client-ID Option 61, length 17: "***"
>> 	    Hostname Option 12, length 13: "Windows-Phone"
>> 	    Vendor-Class Option 60, length 8: "MSFT 5.0"
>> 	    Parameter-Request Option 55, length 6:
>> 	      Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask
>> 	      Classless-Static-Route-Microsoft, Domain-Name
>>
>>
>> But I get now stucked, I haven't found any solution so far to feed this
>> DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq
>> listening on a tap interface with iptables NAT PREROUTING hints).
>> dhcrelay also won't work, interface ipsec0 is not liked by any dhcp
>> server...
>>
>> Has anyone a working example for strongswan how to feed DHCP client
>> messages received after IPsec is established to a DCHP server and
>> respond proper with additional information?
>>
>> e.g. something like a broadcast forwarding/snooper based on layer 2.
>>
>> BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of
>> interfaces is not an option, only tun/tap interfaces are available.
> 
> As far as I understand, IKE2 should be possible to hand out it own IP 
> adresses. 
> 
> See:
> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
> https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin
> 
> Is this an otion in your setup? Or do the IP addresses really have to be 
> passed on to the central DHCP server?
> 
> Mit freundlichen Grüßen,
> 
> Michael Schwartzkopff
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
Dr. Peter Bieringer               mailto:pb at bieringer.de
Heideckstr. 27                    phone: +49-89-36109687
D-80637 Muenchen                  fax: +49-89-36109689
Germany                           mobile: +49-174-9015046

More information about the Users mailing list