[strongSwan] Trouble with strongswan and dhcp server on same host

Nathan Hüsken nathan at wintercloud.de
Wed Jul 25 00:07:51 CEST 2018 

Hey,

I solved it. The permission error go away when I start strongswan via:

     strongswan start

instead of

    service strongswan start

(I am on centos). Now I got the port conflict, as in the references you send. I did not yet try the patch, because I want a strongswan installation from the package manager.
But I removed dnsmasq and installed dhcpd. Now it works!

I still have to start strongswan via "strongswan start", but I guess that is something specific to centos or my installation.

Thanks for the help!
Nathan


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On 24 July 2018 8:44 PM, Nathan Hüsken <nathan at wintercloud.de> wrote:

> Hi,
>
> OK, I thought I looked through logs for all errors. But you are correct, I get:
>
> unable to bind DHCP send socket: Permission denied
>
> I get this error also if dnsmasq is stopped. And I can bind to udp port 67 and 68 using nc (I can also send on those ports).
> So it is not the reused Port problem, but a permission problem.
>
> I find that kind if irritating. After all, strongswan can also bind port 500.
>
> Any ideas, how I could fix this?
>
> Thanks!
> Nathan
>
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Dr. Nathan Hüsken
> Cloud Developer
>
> nathan at wintercloud.de
> +49 151 703 478 84
>
> wintercloud GmbH & Co. KG
> Emil-Maier-Str. 16
> 69115 Heidelberg
>
> wintercloud.de
>
> Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268
> Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken
>
> USt-IdNr.: DE815676705
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 24 July 2018 2:49 PM, Tobias Brunner tobias at strongswan.org wrote:
>
> > Hi Nathan
> >
> > > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > > dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> > > dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> > > dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> > > dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> > > dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> > > dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
> > > charon: 03[NET] received packet: from 185.38.41.42[60669] to
> > > 89.145.162.204[4500]
> > > charon: 03[NET] waiting for data on sockets
> > > charon: 15[MGR] checkout IKEv2 SA by message with SPIs
> > > a26490f46fda38af_i c55a50bf7d6c4f76_r
> > > charon: 15[MGR] ignoring request with ID 5, already processing
> > > charon: 15[MGR] IKE_SA checkout not successful
> > > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> > > So dnsmasq receives the dhcp requests, answers but strongswan seems to
> > > never get it.
> >
> > Not sure what exactly causes that but maybe the packet never makes it
> > out of dnsmasq in a way the raw packet socket in the dhcp plugin can
> > read it. Often the local DHCP server does not receive the request,
> > which is why the plugin's wiki page recommends what you configured next:
> >
> > > So I set:
> > > force_server_address = yes
> > >     server = 192.168.123.255
> > > The server is my local broadcast address. Now the connection fails
> > > immediately, and in the logs I see:
> > > strongswan: 14[IKE] no virtual IP found for %any requested by 'nathan'
> > > strongswan: 14[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
> > > And not even an attempt, to ask the dhcp server.
> > > Why is strongswan does not even requesting a DHCP DISCOVER?
> > > What could be the reason?
> >
> > If you are using 5.6.3, you should have read further up in the log,
> > where the plugin is loaded. The problem most likely is a port conflict
> > (see the discussion at [1] and please try the patch at [2]).
> > Regards,
> > Tobias
> > [1] https://lists.strongswan.org/pipermail/dev/2018-June/001913.html
> > [2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=707b7072

More information about the Users mailing list