[strongSwan] sending DHCP DISCOVER failed: Operation not permitted

[Harald Dunkel]

Hi folks,

I would like to run dnsmasq on the strongswan server to
manage an address pool (providing dhcp and dns). dhcp.conf:

dhcp {
     force_server_address = yes
     identity_lease = yes
     interface = lo
     load = yes
     server = 127.0.0.1
}

Problem: In phase 2 the dhcp request runs into a timeout:

:
Feb 20 12:47:33 12[IKE] <IPSec-IKEv2|2> peer requested virtual IP %any
Feb 20 12:47:33 12[CFG] <IPSec-IKEv2|2> sending DHCP DISCOVER to 127.0.0.1
Feb 20 12:47:34 12[CFG] <IPSec-IKEv2|2> sending DHCP DISCOVER to 127.0.0.1
Feb 20 12:47:36 12[CFG] <IPSec-IKEv2|2> sending DHCP DISCOVER to 127.0.0.1
Feb 20 12:47:39 12[CFG] <IPSec-IKEv2|2> sending DHCP DISCOVER to 127.0.0.1
Feb 20 12:47:43 12[CFG] <IPSec-IKEv2|2> sending DHCP DISCOVER to 127.0.0.1
Feb 20 12:47:48 12[CFG] <IPSec-IKEv2|2> DHCP DISCOVER timed out
:

dnsmasq conf says:

Feb 20 12:47:33 dnsmasq-dhcp[10706]: no address range available for DHCP request via 192.168.1.209
Feb 20 12:47:34 dnsmasq-dhcp[10706]: no address range available for DHCP request via 192.168.1.209
Feb 20 12:47:36 dnsmasq-dhcp[10706]: no address range available for DHCP request via 192.168.1.209
Feb 20 12:47:39 dnsmasq-dhcp[10706]: no address range available for DHCP request via 192.168.1.209
Feb 20 12:47:43 dnsmasq-dhcp[10706]: no address range available for DHCP request via 192.168.1.209

192.168.1.209 is bound to the eth0 interface, i.e. the
connection to the peer. Obviously the "interface = lo" was
ignored. I get the same problem using a local bridge instead of
lo, or if I drop the "interface = lo" line. Using eth0 is off
limits.

How can I tell the dhcp plugin to use the right interface?


Strongswan is version 5.6.1 (still).

Every helpful comment is highly appreciated.
Harri