[strongSwan] swanctt + dhcp + dns

Kamil Jońca kjonca at o2.pl
Mon Dec 18 18:24:09 CET 2017 

Noel Kuntze
<noel.kuntze+strongswan-users-ml-eJe4+7AOuxYyzzc7d281tti2O/JbrIOy at public.gmane.org>
writes:

> 1. Did you test it?
Yes.
> 2. I wrote before that you can not pass the assigned DNS server you
> get via DHCP.
Yes, I mixed-up two things, and was innacurate. My fault, sorry.


> You can use a pool though to pass it as an
> attribute. Read the manual for swanctl.conf. The syntax is mentioned
> there.

But how to define such pool?

Below my config:
server:
--8<---------------cut here---------------start------------->8---
secrets {
[...]
}
connections {
    rw {
      local_addrs  = 192.168.200.200
      pools = dhcp,a
      local {
         auth = pubkey
         cacerts=/etc/swanctl/x509ca/ipsec--kaczka--ca.pem
         certs = alfa.kjonca.5.pem
         id = "C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN = xxxxx"
      }
      remote {
         auth = pubkey
      }
      children {
         net-alfa-server {
            local_ts = 192.168.200.200/24   
            ipcomp=yes
            
         }
      }
   }

}
authorities {
   [...]
   
}

pools {
    a {
        addrs = 192.168.200.0/24
        dns = 192.168.200.200
    }
}
--8<---------------cut here---------------end--------------->8---
client:
--8<---------------cut here---------------start------------->8---
connections {

   alfa {
      vips = 0.0.0.0 
      remote_addrs = circinus.ddns.net
      local {
         auth = pubkey
         cacerts= /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
         certs = bambus.kjonca.pem
      }
      remote {
         cacerts= /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
         auth = pubkey
         id="C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN = xxxx"
      }
      children {
         net-alfa-server {
            remote_ts=0.0.0.0/0
            updown=/home/kjonca/wd/ipsec/test.sh iptables
            ipcomp=yes
         }
      }
   }
}
--8<---------------cut here---------------end--------------->8---

But with this config. remote addres is taken from pool "a" - not from
dhcp as expected.
Moreover it looks like, dns is not pass to client. (I cannot see
PLUTO_DNS4_1 in script on client side)

What do I wrong?

-- 
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
I've been on a diet for two weeks and all I've lost is two weeks.
		-- Totie Fields

More information about the Users mailing list