[strongSwan] Trouble with strongswan and dhcp server on same host
Tobias Brunner
tobias at strongswan.org
Tue Jul 24 14:49:11 CEST 2018
Hi Nathan
> charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> charon: 03[NET] received packet: from 185.38.41.42[60669] to
> 89.145.162.204[4500]
> charon: 03[NET] waiting for data on sockets
> charon: 15[MGR] checkout IKEv2 SA by message with SPIs
> a26490f46fda38af_i c55a50bf7d6c4f76_r
> charon: 15[MGR] ignoring request with ID 5, already processing
> charon: 15[MGR] IKE_SA checkout not successful
> charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
>
> So dnsmasq receives the dhcp requests, answers but strongswan seems to
> never get it.
Not sure what exactly causes that but maybe the packet never makes it
out of dnsmasq in a way the raw packet socket in the dhcp plugin can
read it. Often the local DHCP server does not receive the request,
which is why the plugin's wiki page recommends what you configured next:
> So I set:
>
> force_server_address = yes
> server = 192.168.123.255
> The server is my local broadcast address. Now the connection fails
> immediately, and in the logs I see:
>
> strongswan: 14[IKE] no virtual IP found for %any requested by 'nathan'
> strongswan: 14[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
>
> And not even an attempt, to ask the dhcp server.
>
> Why is strongswan does not even requesting a DHCP DISCOVER?
> What could be the reason?
If you are using 5.6.3, you should have read further up in the log,
where the plugin is loaded. The problem most likely is a port conflict
(see the discussion at [1] and please try the patch at [2]).
Regards,
Tobias
[1] https://lists.strongswan.org/pipermail/dev/2018-June/001913.html
[2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=707b7072
More information about the Users
mailing list