[strongSwan] Trouble with strongswan and dhcp server on same host

Nathan Hüsken nathan at wintercloud.de
Tue Jul 24 20:44:18 CEST 2018 

Hi,

OK, I thought I looked through logs for all errors. But you are correct, I get:

    unable to bind DHCP send socket: Permission denied

I get this error also if dnsmasq is stopped. And I can bind to udp port 67 and 68 using nc (I can also send on those ports).
So it is not the reused Port problem, but a permission problem.

I find that kind if irritating. After all, strongswan can also bind port 500.

Any ideas, how I could fix this?

Thanks!
Nathan


--
Dr. Nathan Hüsken
Cloud Developer

nathan at wintercloud.de
+49 151 703 478 84

wintercloud GmbH & Co. KG
Emil-Maier-Str. 16
69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268
Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On 24 July 2018 2:49 PM, Tobias Brunner <tobias at strongswan.org> wrote:

> Hi Nathan
>
> > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> > dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> > dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> > dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> > dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> > dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> > charon: 03[NET] received packet: from 185.38.41.42[60669] to
> > 89.145.162.204[4500]
> > charon: 03[NET] waiting for data on sockets
> > charon: 15[MGR] checkout IKEv2 SA by message with SPIs
> > a26490f46fda38af_i c55a50bf7d6c4f76_r
> > charon: 15[MGR] ignoring request with ID 5, already processing
> > charon: 15[MGR] IKE_SA checkout not successful
> > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > So dnsmasq receives the dhcp requests, answers but strongswan seems to
> > never get it.
>
> Not sure what exactly causes that but maybe the packet never makes it
> out of dnsmasq in a way the raw packet socket in the dhcp plugin can
> read it. Often the local DHCP server does not receive the request,
> which is why the plugin's wiki page recommends what you configured next:
>
> > So I set:
> > force_server_address = yes
> >     server = 192.168.123.255
> > The server is my local broadcast address. Now the connection fails
> > immediately, and in the logs I see:
> > strongswan: 14[IKE] no virtual IP found for %any requested by 'nathan'
> > strongswan: 14[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
> > And not even an attempt, to ask the dhcp server.
> > Why is strongswan does not even requesting a DHCP DISCOVER?
> > What could be the reason?
>
> If you are using 5.6.3, you should have read further up in the log,
> where the plugin is loaded. The problem most likely is a port conflict
> (see the discussion at [1] and please try the patch at [2]).
>
> Regards,
> Tobias
>
> [1] https://lists.strongswan.org/pipermail/dev/2018-June/001913.html
> [2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=707b7072

More information about the Users mailing list