[strongSwan] DHCP!

Christian Salway ccsalway at yahoo.co.uk
Fri May 4 01:13:27 CEST 2018 

I have literally tried all the dhcp dns subnet attr, options I can find and I can’t get SS to get the dhcp from dnsmasq nor the clients.

> On 3 May 2018, at 21:39, Christian Salway <christian.salway at naimuri.com> wrote:
> 
> @Thor - ok. so in your professional capacity, would you say there is no way strongSwan can fix the Windows 10 issue of not adding a route when it connects?
> 
> 
>> On 3 May 2018, at 21:31, Thor Simon <Thor.Simon at twosigma.com> wrote:
>> 
>> If you would like to supply addresses to your clients via IKE Mode Config, the DHCP plugin is one means by which StrongSwan can obtain those addresses.
>> 
>> -----Original Message-----
>> From: Users <users-bounces at lists.strongswan.org> On Behalf Of Christian Salway
>> Sent: Thursday, May 3, 2018 4:27 PM
>> To: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] DHCP!
>> 
>> So what is the purpose of the dhcp plugin then?
>> 
>> 
>>> On 3 May 2018, at 18:52, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>> 
>>> The dhcp plugin or generally strongSwan has nothing to do with that.
>>> Windows itself is supposed to make a DHCP request over the established tunnel. Check what it sends with wireshark or tcpdump.
>>> Use the information from the CorrectTrafficDump[1] page.
>>> 
>>> 
>>> 
>>> [1] 
>>> https://secure-web.cisco.com/1_h6MioB9kRbPuO5b1NQmVwz1nqJkemt__rVJDcQQ
>>> GwkgjLSHN9I9JoBZBEcAqjKD_5JA0ERTo8_VfvEFeKJB8dSX07lcvTeBS3AUT65L9TlZde
>>> LnjMQ1tT7u2fooVfDiBZH_KQa--YuV0DEqLoHuthVgHmdogOWD5qk7juajhfoBk0ac4NP3
>>> y6GFGZMIpHdgAhdWxnlBSVRIhm2wqLbHNCjnnjo6yF3vAem0DrMfRD0Hh2JIgJNpGOQTSO
>>> cOV1Td/https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrongswan%2Fwik
>>> i%2FCorrectTrafficDump
>>> 
>>>> On 03.05.2018 18:58, Christian Salway wrote:
>>>> I have noticed that Windows 10 is not asking for DHCP though
>>>> 
>>>> May  3 16:55:37 ip-10-0-5-202 charon-systemd[30549]: parsed IKE_AUTH 
>>>> request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 
>>>> DNS6 SRV6) SA TSi TSr ]
>>>> 
>>>> 
>>>> 
>>>> Where as OSX is
>>>> 
>>>> May  3 16:53:07 ip-10-0-5-202 charon-systemd[30505]: parsed IKE_AUTH 
>>>> request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR *DHCP* 
>>>> DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA 
>>>> TSi TSr ]
>>>> 
>>>> 
>>>> 
>>>> <http://secure-web.cisco.com/120V9LfMi3vtxE-5KjUz6POqa_DjZsebmPiWu-gf
>>>> xO92VdCKYyGXPwa2b45TgV8ioDiU8hQxLJulX_e8gv6s2_huFqoLv6i8Dsb2GCAdc-eF8
>>>> XffvE55b-hODoMWYVgaZ1HxjZMxgoE_FIm4W8_fcqb400nhU2NJDK0g-xmbELy5ofDZm2
>>>> XJs1LOU4R8zJk0q861JtaOeyUMofB9Xcgb6HVJHloCiwQHD0hffI6sHpep-sGzj5Ja4Cj
>>>> -hWoPlVrbgdshHYrh9sAnjKiyiz0M0RA/http%3A%2F%2Fwww.naimuri.com>
>>>> 
>>>>> On 3 May 2018, at 17:34, Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> I've been trying to fix the (lack of) routing passed on to Windows 10 by trying the DHCP answer found at *Split-routing-on-Windows-10-and-Windows-10-Mobile* [1] but I cant get the DHCP to work.  strongSwan doesnt make any requests to it.
>>>>> 
>>>>> I have installed and configured dnsmasq with just the options in the support guide and dnsmasq is listening on tcp port 53 (DNS) and 67 (DHCP).
>>>>> 
>>>>> I have rebuilt strongswan with dhcp support.
>>>>> 
>>>>> 
>>>>> *$ /etc/dnsmasq.conf*
>>>>> dhcp-vendorclass=set:msipsec,MSFT 5.0 
>>>>> dhcp-range=tag:msipsec,192.168.103.0,static
>>>>> dhcp-option=tag:msipsec,6
>>>>> dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0
>>>>> 
>>>>> *$ netstat -tunlp*
>>>>> Active Internet connections (only servers)
>>>>> Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
>>>>> *tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      29951/dnsmasq   *
>>>>> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1143/sshd       
>>>>> tcp6       0      0 :::53                   :::*                    LISTEN      29951/dnsmasq   
>>>>> tcp6       0      0 :::22                   :::*                    LISTEN      1143/sshd       
>>>>> udp        0      0 0.0.0.0:4500            0.0.0.0:*                           30147/charon-system
>>>>> udp        0      0 0.0.0.0:500             0.0.0.0:*                           30147/charon-system
>>>>> udp        0      0 0.0.0.0:53              0.0.0.0:*                           29951/dnsmasq   
>>>>> *udp        0      0 0.0.0.0:67              0.0.0.0:*                           29951/dnsmasq   *
>>>>> udp        0      0 0.0.0.0:68              0.0.0.0:*                           30147/charon-system
>>>>> udp        0      0 0.0.0.0:68              0.0.0.0:*                           1005/dhclient   
>>>>> udp6       0      0 :::4500                 :::*                                30147/charon-system
>>>>> udp6       0      0 :::500                  :::*                                30147/charon-system
>>>>> udp6       0      0 :::53                   :::*                                29951/dnsmasq  
>>>>> 
>>>>> 
>>>>> *$ swanctl --stats*
>>>>> ...
>>>>> loaded plugins: charon-systemd charon-systemd aes openssl des rc2 
>>>>> sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints 
>>>>> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp 
>>>>> curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve 
>>>>> socket-default vici updown eap-identity eap-mschapv2 eap-dynamic 
>>>>> eap-tls xauth-generic *dhcp*
>>>>> 
>>>>> *$ /etc/strongswan.d/charon/dhcp.conf * dhcp {
>>>>>    force_server_address = yes
>>>>>    load = yes
>>>>>    server = 10.0.15.255
>>>>> }
>>>>> 
>>>>> *$  /etc/swanctl/conf.d/policy.conf* connections {
>>>>>  clients {
>>>>>     version = 2
>>>>>     send_cert = always
>>>>>     encap = yes
>>>>>     unique = replace
>>>>>     proposals = aes256-sha256-prfsha256-modp2048-modp1024
>>>>>     pools = pool1
>>>>>     local {
>>>>>        id = vpnserver
>>>>>        certs = vpnserver.crt
>>>>>     }
>>>>>     remote {
>>>>>        auth = eap-mschapv2
>>>>>        eap_id = %any
>>>>>     }
>>>>>     children {
>>>>>        net {
>>>>>           local_ts = 10.0.0.0/20
>>>>>        }
>>>>>     }
>>>>>  }
>>>>> }
>>>>> pools {
>>>>>   pool1 {
>>>>>     addrs = 172.16.0.0/12
>>>>>     subnet = 10.0.0.0/18
>>>>>     dhcp = 10.0.5.202
>>>>>   }
>>>>> }
>>>>> 
>>>>> The route I would expect to see on Windows 10 should simulate
>>>>> 
>>>>> *route ADD 10.0.0.0 MASK 255.255.240.0 172.16.0.X*
>>>>> 
>>>>> 
>>>>> *The connection log *
>>>>> 
>>>>> May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: IKE_SA rsa[1] 
>>>>> established between 
>>>>> 10.0.5.202[vpnserver1]...148.252.225.26[192.168.1.31]
>>>>> May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: scheduling 
>>>>> rekeying in 13750s May  3 16:27:58 ip-10-0-5-202 
>>>>> charon-systemd[30250]: maximum IKE_SA lifetime 15190s May  3 
>>>>> 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual IP %any May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning new lease to 'christian.salway.naimuri.com <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>'
>>>>> May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning virtual IP 172.16.0.1 to peer 'christian.salway.naimuri.com <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>'
>>>>> May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested 
>>>>> virtual IP %any6 May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: no virtual IP found for %any6 requested by 'christian.salway.naimuri.com <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>'
>>>>> May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: CHILD_SA net{1} 
>>>>> established with SPIs cac7b9af_i 02fc4cb2_o and TS 10.0.0.0/18 === 
>>>>> 172.16.0.1/32 May  3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: 
>>>>> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DHCP) SA TSi 
>>>>> TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
>>>>> 
>>>>> 
>>>>> [1] 
>>>>> https://secure-web.cisco.com/1SoYE_B8oPkYsHXCWLgk0vAhDMGerHeeyGnWSju
>>>>> 1ZBYAEuGwEt7dkOyCtxw_U-aLXmfzKLajEyinghQSbAqqArS_s29AErnnlZ-q1Jfgn4n
>>>>> wq8SM3Bt2RAj_BhvKXfrW8GuHzZprojk9tKyTuEL-y1AjSjoNBhrXX5FAlrWmmSyge2u
>>>>> ybEOiZUIhHM7RTGfDV4aQOeNDbARZZx2OMC28hgLxLlDIWxC8nGdetSb6Jd9Fh3E8aNg
>>>>> vd7ZpGh7Vs3inJ/https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrong
>>>>> swan%2Fwiki%2FWindows7#Split-routing-on-Windows-10-and-Windows-10-Mo
>>>>> bile
>>>> 
>> 
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180504/f2aad0b7/attachment-0001.html>

More information about the Users mailing list