[strongSwan] client virtual ip address assignment issue with dhcp

Alex Sharaz alex.sharaz at york.ac.uk
Tue Apr 25 10:48:41 CEST 2017 

Hi,
 Seem to  have a problem assigning an IP address to a client from our
campus dhcp server

Running strongswan 5.5.2

loaded plugins: charon unbound pkcs11 aes des rc2 sha2 sha1 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp
curve25519 xcbc cmac hmac soup mysql attr attr-sql kernel-netlink resolve
socket-default bypass-lan farp stroke vici sql updown eap-identity eap-md5
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic
xauth-eap xauth-pam dhcp radattr addrblock unity

Configuration is

outside world -> interface ens1f0 - StrongSwanVPN - interface ens1f1 ->
Checkpoint firewall -> internal network

Where
ens1f0    Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c8
          inet addr:144.32.128.198  Bcast:144.32.129.255  Mask:255.255.254.0
          inet6 addr: 2001:630:61:180::1:c6/64 Scope:Global
          inet6 addr: fe80::214:4fff:fe0d:d0c8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5882984 errors:0 dropped:5307 overruns:0 frame:0
          TX packets:995070 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1009471362 (1.0 GB)  TX bytes:264680178 (264.6 MB)
          Interrupt:30 Memory:b3d80000-b3da0000

ens1f1    Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c9
          inet addr:10.16.35.121  Bcast:10.16.35.127  Mask:255.255.255.248
          inet6 addr: fe80::214:4fff:fe0d:d0c9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21887 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1313 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1428333 (1.4 MB)  TX bytes:216885 (216.8 KB)
          Interrupt:32 Memory:b3de0000-b3e00000


User connects to SSwan via ens1f0 - outside world address, and traffic gets
into our network via ens1f1/checkpoint firewall. End systems see an IP
address in range 172.18.64.0/24.

In my server config I can use one of the following
  #rightsourceip=172.18.64.0/24
  #rightsourceip=%itservices
 #rightsourceip=%dhcp

The first one works fine.
The second one also works (pulling ip address from mysql database table)

The 3rd one however fails as the dhcp server sees a request from interface
ends1f1 and tells me there isn't an ip address pool defined for address
space 10.16.35..../x, which is correct, there isn't.

Do I have to create another interface on the von server in address space
172.18.64.0/24 and tell dhcp to send reqyuestout via that?

Rgds
Alex






In my .../strongswan.d/charon/dhcp.conf I've got

dhcp {

    # Always use the configured server address.
    # force_server_address = no

    # Derive user-defined MAC address from hash of IKE identity.
    # identity_lease = no

    # Interface name the plugin uses for address allocation.
    interface = ens1f1

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # DHCP server unicast or broadcast IP address.
    # server = 255.255.255.255

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170425/3da80c30/attachment.html>

More information about the Users mailing list