[strongSwan] Support of forwarding of client DHCP requests in strongswan?

Christian Huldt christian at solvare.se
Tue Jun 7 08:43:31 CEST 2016 

Wouldn't be simpler to just get everything from DHCP, rather than
getting the IP address from one place and everything else from another?

Den 2016-06-06 kl. 07:41, skrev Peter Bieringer:
> Hi Michael,
>
> IPv4 address is already passed to WP10 by strongswan and accepted
> withouth external DHCP.
>
> The problem is that WP10 (and I would assume also other Windows System)
> is starting afterwards on the new link "DCHP Inform" to get additional
> information, and this can't be served by strongswan so far as I can see
> and therefore need to be catched and forwarded to a sophisticated DHCP
> server.
>
> And in my scenario (Split Tunneling = false) I want to feed new routes
> into WP10 via DCHP response to "Classless-Static-Route-Microsoft".
>
> Regards,
> 	Peter
>
> Am 05.06.2016 um 21:56 schrieb Michael Schwartzkopff:
>> Am Sonntag, 5. Juni 2016, 19:41:30 schrieb Peter Bieringer:
>>> Hi,
>>>
>>> after some hours of playing around and digging through Google I need now
>>> support...
>>>
>>> Initial problem: Windows Phone 10 VPN client where "Split Tunneling =
>>> false" can't be set (unlike Windows 10 where Powershell command will help)
>>>
>>> Probable solution: distribute routes to WP 10 via DHCP reply by
>>> responding with proper routes to the received DHCP inform message:
>>>
>>> Received on ipsec0 interface (tcpdump):
>>>
>>>     172.16.1.1.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request,
>>> length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]
>>> 	  Client-IP 172.16.1.1
>>> 	  Vendor-rfc1048 Extensions
>>> 	    Magic Cookie 0x63825363
>>> 	    DHCP-Message Option 53, length 1: Inform
>>> 	    Client-ID Option 61, length 17: "***"
>>> 	    Hostname Option 12, length 13: "Windows-Phone"
>>> 	    Vendor-Class Option 60, length 8: "MSFT 5.0"
>>> 	    Parameter-Request Option 55, length 6:
>>> 	      Domain-Name-Server, Netbios-Name-Server, Vendor-Option, Subnet-Mask
>>> 	      Classless-Static-Route-Microsoft, Domain-Name
>>>
>>>
>>> But I get now stucked, I haven't found any solution so far to feed this
>>> DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq
>>> listening on a tap interface with iptables NAT PREROUTING hints).
>>> dhcrelay also won't work, interface ipsec0 is not liked by any dhcp
>>> server...
>>>
>>> Has anyone a working example for strongswan how to feed DHCP client
>>> messages received after IPsec is established to a DCHP server and
>>> respond proper with additional information?
>>>
>>> e.g. something like a broadcast forwarding/snooper based on layer 2.
>>>
>>> BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of
>>> interfaces is not an option, only tun/tap interfaces are available.
>> As far as I understand, IKE2 should be possible to hand out it own IP 
>> adresses. 
>>
>> See:
>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
>> https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin
>>
>> Is this an otion in your setup? Or do the IP addresses really have to be 
>> passed on to the central DHCP server?
>>
>> Mit freundlichen Grüßen,
>>
>> Michael Schwartzkopff
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>


-- 
Christian Huldt
+46704612207


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160607/c19685e1/attachment.sig>

More information about the Users mailing list