[strongSwan] DHCP plugin

Yudi V yudi.tux at gmail.com
Mon Jan 30 04:23:39 CET 2017


> On 2017-01-25 02:09, Yudi V wrote:
>
>
>
> On Wed, Jan 25, 2017 at 4:27 AM, Dusan Ilic <dusan at comhem.se> wrote:
>
>> Hello Nikola,
>>
>> Well, br0 is the local LAN interface on the gateway and the local LAN IP
>> of the gateway (also DHCP-server) is 10.1.1.1.
>> So in the network 10.1.1.0/26, 10.1.1.63 is the local broadcast address.
>>
>>
>>
>> On 2017-01-24 00:17, Nikola Kolev wrote:
>>
>>> Hi,
>>>
>>> Maybe I'm misreading the bits you posted, but why would you have your
>>>
>>>       # DHCP server unicast or broadcast IP address.
>>>>        server = 10.1.1.63
>>>>
>>> configured that way? Is that one and the same interface (with 10.1.1.1
>>> on br0)? What is the reason of having a network broadcast IP address set
>>> on a host?
>>>
>>> I would focus on either running dnsmasq with full debug or strace-ing
>>> it to see what's causing that "Operation not permitted".
>>>
>>> Cheers
>>>
>>> On Sun, 22 Jan 2017 22:33:06 +0100
>>> Dusan Ilic <dusan at comhem.se> wrote:
>>>
>>> Hello,
>>>>
>>>> I have a problem with the DHCP plugin.
>>>> I have Strongswan and DNSmasq on the same host (my Linux gateway) and
>>>> would like to issue IP adress from local LAN to remote access users,
>>>> however, I cant get it working. In the logging I can see Strongswan
>>>> sending DHCP Discover, and DNSmasq responding, however directly after
>>>> DNSmasq gives a strange error.
>>>>
>>>> Jan 22 20:46:42 R6250 daemon.info charon: 08[CFG] sending DHCP
>>>> DISCOVER to 10.1.1.63 Jan 22 21:46:42 R6250 daemon.info dnsmasq-dhcp
>>>> [7945]: DHCPDISCOVER(br0) 7a:a7:46:6b:f7:04 Jan 22 21:46:42 R6250
>>>> daemon.info dnsmasq-dhcp[7945]: DHCPOFFER(br0) 10.1.1.60
>>>> 7a:a7:46:6b:f7:04 Jan 22 21:46:42 R6250 daemon.warn dnsmasq-dhcp
>>>> [7945]: Error sending DHCP packet to 10.1.1.1: Operation not
>>>> permitted Jan 22 20:46:47 R6250 daemon.info charon: 08[CFG] DHCP
>>>> DISCOVER timed out
>>>>
>>>> 10.1.1.1 is my gateway. 10.1.1.63 is broadcast adress (local LAN
>>>> 10.1.1.0/26). I have also tried changing broadcast in charon settings
>>>> to 255.255.255.255, but then there is no DHCPOFFER seen in the logs.
>>>>
>>>> Jan 22 20:44:02 R6250 daemon.info charon: 09[CFG] sending DHCP
>>>> DISCOVER to 255.255.255.255 Jan 22 20:44:03 R6250 daemon.info charon:
>>>> 09[CFG] sending DHCP DISCOVER to 255.255.255.255 Jan 22 20:44:05
>>>> R6250 daemon.info charon: 09[CFG] sending DHCP DISCOVER to
>>>> 255.255.255.255 Jan 22 20:44:08 R6250 daemon.info charon: 09[CFG]
>>>> sending DHCP DISCOVER to 255.255.255.255 Jan 22 20:44:12 R6250
>>>> daemon.info charon: 09[CFG] sending DHCP DISCOVER to 255.255.255.255
>>>> Jan 22 20:44:17 R6250 daemon.info charon: 09[CFG] DHCP DISCOVER timed
>>>> out
>>>>
>>>> Below is my DHCP-plugin config.
>>>>
>>>> dhcp {
>>>>
>>>>       # Always use the configured server address.
>>>>        force_server_address = yes
>>>>
>>>>       # Derive user-defined MAC address from hash of IKE identity.
>>>>       # identity_lease = yes
>>>>
>>>>       # Interface name the plugin uses for address allocation.
>>>>        interface = br0 # Local interface where DNSmasq is listening
>>>>
>>>>       # Whether to load the plugin. Can also be an integer to increase
>>>>       # the priority of this plugin.
>>>>       load = yes
>>>>
>>>>       # DHCP server unicast or broadcast IP address.
>>>>        server = 10.1.1.63
>>>>
>>>> }
>>>>
>>>>
>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
> Hi Dusan,
>
> I have a similar setup on an openwrt router, mine works fine,
> The only difference is I dont use the "interface=" stanza in the dhcp.conf
> and just use the standard broadcast address 192.168.1.255
> I have several VLANs, and just my changing the broadcast address of the
> server I can get leases from the subnet/vlan I want.
>
> --
> Kind regards,
> Yudi
>
>
>

Is it possible to assign some connecting clients by DHCP in one VLAN, and
> other from another?
>
> I guess you can use:
*rightsourceip = <from>-<to>*

and remove this subset from DHCP leases given out by the server. This can
be done with openWRT. By default openWRT only starts issuing leases from 50
or 100 offset from the network address.
KR
yudi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170130/8f97ebde/attachment-0001.html>


More information about the Users mailing list