[strongSwan] Help with DHCP-module
Dusan Ilic
dusan at comhem.se
Thu Aug 10 19:22:15 CEST 2017
Hello list,
I have an issue, I have several WAN-interfaces on my linux gateway but
only want to use one for IPsec. So I want to use "interfaces_use"
setting in strongswan.conf and only put one WAN interface, by default
Strongswan listens on all interfaces/IP's (even local LAN interfaces, in
my case different LAN-bridges). The reason I want to do this is because
I don't want the server to propose to a remote client with MOBIKE all
IP-adresses it posseses (absolutely not local LAN IP's), because what
happens is if I'm on 3/4G and connected to the gateway in Android, then
roam over to local Wifi (where the gateway is) it will propose ie
10.1.1.1 to the Android client, and then it keeps a tunnel when actually
connected locally to the same LAN and gateway.
So by using "interfaces_use" I solve this, however this also seem to
introduce a problem with the DHCP-plugin. It seems like when I restrict
Strongswan to only one WAN-interface, the plugin stops working because
the DHCP server is on the same gateway locally on br0 interface (10.1.1.1).
Is there a way working around this somehow?
So what I want is for Strongswan only listening on and presenting one
WAN-interface public IP, while still letting the DHCP-module aquire an
IP from the local DHCP-server on the same gateway. Below is my current
DHCP-plugin settings, these work as expected until I introduce
"interface_use" in strongswan.conf.
dhcp {
# Always use the configured server address.
force_server_address = yes
# Derive user-defined MAC address from hash of IKE identity.
identity_lease = yes
# Interface name the plugin uses for address allocation.
interface = br0
# Whether to load the plugin. Can also be an integer to
increase the
# priority of this plugin.
load = yes
# DHCP server unicast or broadcast IP address.
server = 10.1.1.63 # (broadcast address, 10.1.1.1 doesn't
work for some reason)
}
More information about the Users
mailing list