[strongSwan] client virtual ip address assignment issue with dhcp

Alex Sharaz alex.sharaz at york.ac.uk
Tue Apr 25 10:48:41 CEST 2017

 Seem to  have a problem assigning an IP address to a client from our
campus dhcp server

Running strongswan 5.5.2

loaded plugins: charon unbound pkcs11 aes des rc2 sha2 sha1 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp
curve25519 xcbc cmac hmac soup mysql attr attr-sql kernel-netlink resolve
socket-default bypass-lan farp stroke vici sql updown eap-identity eap-md5
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic
xauth-eap xauth-pam dhcp radattr addrblock unity

Configuration is

outside world -> interface ens1f0 - StrongSwanVPN - interface ens1f1 ->
Checkpoint firewall -> internal network

ens1f0    Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c8
          inet addr:  Bcast:  Mask:
          inet6 addr: 2001:630:61:180::1:c6/64 Scope:Global
          inet6 addr: fe80::214:4fff:fe0d:d0c8/64 Scope:Link
          RX packets:5882984 errors:0 dropped:5307 overruns:0 frame:0
          TX packets:995070 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1009471362 (1.0 GB)  TX bytes:264680178 (264.6 MB)
          Interrupt:30 Memory:b3d80000-b3da0000

ens1f1    Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c9
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::214:4fff:fe0d:d0c9/64 Scope:Link
          RX packets:21887 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1313 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1428333 (1.4 MB)  TX bytes:216885 (216.8 KB)
          Interrupt:32 Memory:b3de0000-b3e00000

User connects to SSwan via ens1f0 - outside world address, and traffic gets
into our network via ens1f1/checkpoint firewall. End systems see an IP
address in range

In my server config I can use one of the following

The first one works fine.
The second one also works (pulling ip address from mysql database table)

The 3rd one however fails as the dhcp server sees a request from interface
ends1f1 and tells me there isn't an ip address pool defined for address
space 10.16.35..../x, which is correct, there isn't.

Do I have to create another interface on the von server in address space and tell dhcp to send reqyuestout via that?


In my .../strongswan.d/charon/dhcp.conf I've got

dhcp {

    # Always use the configured server address.
    # force_server_address = no

    # Derive user-defined MAC address from hash of IKE identity.
    # identity_lease = no

    # Interface name the plugin uses for address allocation.
    interface = ens1f1

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # DHCP server unicast or broadcast IP address.
    # server =

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170425/3da80c30/attachment.html>

More information about the Users mailing list