[strongSwan] Help with DHCP-module

Dusan Ilic dusan at comhem.se
Thu Aug 10 20:17:55 CEST 2017


Alternatively, I tried just blocking access to IKE and NAT-T by 
Iptables, something like iptables -I INPUT -i br0 --dports 500/4500 -j DROP.
In fact, I just tried that, and it seems to work (ipsec statusall doesnt 
show the roaming clients new IP any more), however the Android client 
have some issues. It detects 10-20 sec late that the connection is being 
blocked, and starts reconnecting but ends up in that state.

Maybe this is the same issue that I reported earlier, that the Android 
client seem to have some bugs with handling broken connections...


Den 2017-08-10 kl. 19:22, skrev Dusan Ilic:
> Hello list,
>
> I have an issue, I have several WAN-interfaces on my linux gateway but 
> only want to use one for IPsec. So I want to use "interfaces_use" 
> setting in strongswan.conf and only put one WAN interface, by default 
> Strongswan listens on all interfaces/IP's (even local LAN interfaces, 
> in my case different LAN-bridges). The reason I want to do this is 
> because I don't want the server to propose to a remote client with 
> MOBIKE all IP-adresses it posseses (absolutely not local LAN IP's), 
> because what happens is if I'm on 3/4G and connected to the gateway in 
> Android, then roam over to local Wifi (where the gateway is) it will 
> propose ie 10.1.1.1 to the Android client, and then it keeps a tunnel 
> when actually connected locally to the same LAN and gateway.
>
> So by using "interfaces_use" I solve this, however this also seem to 
> introduce a problem with the DHCP-plugin. It seems like when I 
> restrict Strongswan to only one WAN-interface, the plugin stops 
> working because the DHCP server is on the same gateway locally on br0 
> interface (10.1.1.1).
>
> Is there a way working around this somehow?
> So what I want is for Strongswan only listening on and presenting one 
> WAN-interface public IP, while still letting the DHCP-module aquire an 
> IP from the local DHCP-server on the same gateway. Below is my current 
> DHCP-plugin settings, these work as expected until I introduce 
> "interface_use" in strongswan.conf.
>
>         dhcp {
>             # Always use the configured server address.
>             force_server_address = yes
>
>             # Derive user-defined MAC address from hash of IKE identity.
>              identity_lease = yes
>
>             # Interface name the plugin uses for address allocation.
>             interface = br0
>
>             # Whether to load the plugin. Can also be an integer to 
> increase the
>             # priority of this plugin.
>             load = yes
>
>             # DHCP server unicast or broadcast IP address.
>            server = 10.1.1.63 # (broadcast address, 10.1.1.1 doesn't 
> work for some reason)
>         }
>



More information about the Users mailing list