[strongSwan] Routing on clients
Christian Salway
christian.salway at naimuri.com
Wed Aug 8 22:33:20 CEST 2018
So, I've just finished doing that and it's not working
I set up an IP alias because the DHCP wouldnt give out IP addresses unless I "owned" 172.31.0.x
-----------------------------------------------------------------------------------------------------------------------
#ifconfig eth0:0 172.31.0.1
eth0 Link encap:Ethernet HWaddr 0a:b6:4a:7d:61:a4
inet addr:10.0.1.193 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::8b6:4aff:fe7d:61a4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:127072 errors:0 dropped:0 overruns:0 frame:0
TX packets:76073 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:124506235 (124.5 MB) TX bytes:12274603 (12.2 MB)
eth0:0 Link encap:Ethernet HWaddr 0a:b6:4a:7d:61:a4
inet addr:172.31.0.1 Bcast:172.31.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
-----------------------------------------------------------------------------------------------------------------------
I then installed isc-dhcp-server (had no luck with dnsmasq) and set up the dhcp config file like so
-----------------------------------------------------------------------------------------------------------------------
option rfc3442-classless-static-routes code 121 = array of integer 8;
option ms-classless-static-routes code 249 = array of integer 8;
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 172.31.0.0 netmask 255.255.255.0 {
range 172.31.0.5 172.31.0.250;
option subnet-mask 255.255.255.0;
option rfc3442-classless-static-routes 24, 192, 168, 123, 10, 10, 10, 1;
option ms-classless-static-routes 24, 192, 168, 123, 10, 10, 10, 1;
}
-----------------------------------------------------------------------------------------------------------------------
and then configured ipsec
-----------------------------------------------------------------------------------------------------------------------
conn %default
ike=aes256-sha256-prfsha256-ecp256-modp2048-modp1024!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
leftfirewall=yes
rightsourceip=172.31.0.0/24
rightid=%any
conn localnet
leftid=localnet
leftsubnet=10.0.0.0/20
rightsourceip=%dhcp
authby=secret
auto=start
-----------------------------------------------------------------------------------------------------------------------
dhcp {
force_server_address = no
identity_lease = no
interface = eth0
load = yes
server = 172.31.255.255
}
-----------------------------------------------------------------------------------------------------------------------
..... which actually assigns IP addresses to clients (HUZZAH)
-----------------------------------------------------------------------------------------------------------------------
07[IKE] peer requested virtual IP %any
07[KNL] using 172.31.0.1 as address to reach 172.31.255.255/32
07[CFG] sending DHCP DISCOVER to 172.31.255.255
10[CFG] received DHCP OFFER 172.31.0.14 from 10.0.1.193
07[KNL] using 172.31.0.1 as address to reach 172.31.255.255/32
07[CFG] sending DHCP REQUEST for 172.31.0.14 to 10.0.1.193
11[CFG] received DHCP ACK for 172.31.0.14
07[IKE] assigning virtual IP 172.31.0.14 to peer '192.168.0.31'
-----------------------------------------------------------------------------------------------------------------------
- not quite, the routes arent passed through to the clients
-----------------------------------------------------------------------------------------------------------------------
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 84 0 en0
10/20 link#6 UCSc 0 0 utun2
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 28 7617856 lo0
169.254 link#6 UCS 0 0 en0
192.168.0 link#6 UCS 5 0 en0
192.168.0.1/32 link#6 UCS 1 0 en0
192.168.0.1 40:d:10:73:1f:90 UHLWIir 26 26 en0 1196
192.168.0.10 f4:5f:d4:fb:24:4a UHLWI 0 86 en0 1127
192.168.0.23 dc:a9:4:2a:21:db UHLWI 0 4 en0 60
192.168.0.24 3c:cd:93:6d:78:32 UHLWI 0 8 en0 1122
192.168.0.31/32 link#6 UCS 0 0 en0
192.168.0.42 a4:77:33:b2:d7:34 UHLWIi 1 779 en0 1038
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0
224.0.0/4 link#6 UmCS 2 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 314 en0
255.255.255.255/32 link#6 UCS 0 0 en0
-----------------------------------------------------------------------------------------------------------------------
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 25
10.0.2.0 255.255.255.0 On-link 10.0.2.15 281
10.0.2.15 255.255.255.255 On-link 10.0.2.15 281
10.0.2.255 255.255.255.255 On-link 10.0.2.15 281
18.130.229.77 255.255.255.255 10.0.2.2 10.0.2.15 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.31.0.0 255.255.0.0 On-link 172.31.0.1 26
172.31.0.1 255.255.255.255 On-link 172.31.0.1 281
172.31.255.255 255.255.255.255 On-link 172.31.0.1 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.0.2.15 281
224.0.0.0 240.0.0.0 On-link 172.31.0.1 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.0.2.15 281
255.255.255.255 255.255.255.255 On-link 172.31.0.1 281
===========================================================================
Persistent Routes:
None
-----------------------------------------------------------------------------------------------------------------------
> On 8 Aug 2018, at 15:15, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
> Hello Christian,
>
> I guess the native Mac OSX client just doesn't support being connected to more than one server, so this can't be solved with it.
>
> For Windows, you need to setup and run a DHCP server on the VPN server, which answers the DHCP requests that Windows (uniquely and only Windows!) sends over the VPN. You can use that to push routes to the client. Just use the same options as with "real" DHCP clients, requesting configuration from/on the LAN. This is described in the article about Windows interoperability[1].
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#Split-routing-on-Windows-10-and-Windows-10-Mobile <https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#Split-routing-on-Windows-10-and-Windows-10-Mobile>
>
> Kind regards
>
> Noel
>
> On 07.08.2018 09:07, Christian Salway wrote:
>> Hello all,
>>
>> After several months of using strongSwan, I still can't get the routing to work correctly on the clients. I have run out of pages to read on the strongswan website so I hope you can help me out.
>>
>> The problem is when I connect to strongSwan, the routing is not configured correctly on the clients (OSX and Windows) - using native (built-in) clients. All updated with the latest patches/updates.
>>
>> OSX will set up a route based on the local_ts but when I open a simultaneous connection to another strongSwan server, it removes the route from the first VPN connection and adds it's own based on the local_ts.
>>
>> WINDOWS doesnt add the route at all.
>>
>> In either cause, I normally have to manually add the routes in.
>>
>> Has anyone had any success? Can they please shed some light as to how they achieved it?
>>
>>
>> Kind regards,
>>
>> *Christian Salway*
>> IT Consultant - *Naimuri*
>>
>> T: +44 7463 331432
>> E: christian.salway at naimuri.com <mailto:christian.salway at naimuri.com> <mailto:christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>>
>> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180808/ae6a16c5/attachment-0001.html>
More information about the Users
mailing list