Hello,
We would like to know if it is possible to declare several
configuration for the dhcp plugin?
The goal is to have a subnet per connection. Each connection would
have its specific DHCP server (e.g. Microsoft DHCP server or ISC
DHCP). The IP addresses of the clients would be distributed by
On 1/16/19 9:38 AM, Harald Dunkel wrote:
Hi folks,
attached you can find charon's and dnsmasq's log files (running on the
same hardware).
Strongswan's dhcp plugin sends out the DHCPDISCOVER at 10:48:07. dnsmasq
seems to wake up somehow (there is a log file entry), but at 10:48:10
it finally
Hi folks,
attached you can find charon's and dnsmasq's log files (running on the
same hardware).
Hope this helps
Harri
Jan 14 10:48:07 12[NET] <43> received packet: from 192.168.1.13[61985] to
192.168.1.209[500] (1256 bytes)
Jan 14 10:48:07 12[ENC] <43> parsed IKE_SA_INIT request 0 [ SA KE No
On 1/14/19 5:12 AM, Harald Dunkel wrote:
> Hi folks,
>
> using isc-dhcp-server 4.3.5 on the peer network my laptop takes just
> a second to establish an IPsec connection (dhcp plugin involved, of
> course). Using dnsmasq 2.80 it takes at least 3 seconds, maybe 4.
>
> Can anybody reproduce this
Hi folks,
using isc-dhcp-server 4.3.5 on the peer network my laptop takes just
a second to establish an IPsec connection (dhcp plugin involved, of
course). Using dnsmasq 2.80 it takes at least 3 seconds, maybe 4.
Can anybody reproduce this disadvantage of dnsmasq over isc-dhcp? Do
you think it
Tobias Brunner writes:
>> only something like (I have had no debug):
>> 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP
>> DISCOVER to 192.168.200.200
>> 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP
>> OFFER %any from 192.168.200.200
>>
> only something like (I have had no debug):
> 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP
> DISCOVER to 192.168.200.200
> 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP
> OFFER %any from 192.168.200.200
> 2018-10-14T19:27:57.324271+02:00
Tobias Brunner writes:
> Hi Kamil,
>
>> and received dhcp-ack.
>> And ... again send dhcp-request, received dhcp-ack, and we end with
>> infinite loop.
>
> Do you have the strongSwan log that goes with this? And what strongSwan
> and FreeRADIUS versions are you using?
only something like (I
Hi Kamil,
> and received dhcp-ack.
> And ... again send dhcp-request, received dhcp-ack, and we end with
> infinite loop.
Do you have the strongSwan log that goes with this? And what strongSwan
and FreeRADIUS versions are you using?
> Now I (temporarily) configure dhcp server not to send offer
Disclaimer: I do not know if it is bug or feature, and what should be
changed: freeradius or dhcp plugin.
I have configured dhcp plugin:
--8<---cut here---start->8---
dhcp {
force_server_address = yes
identity_lease = yes
interface = eth0
Hi Noel,
Do you have an example configuration for swanctl/vici?
C
> On 5 May 2018, at 11:01, Noel Kuntze
> wrote:
>
> The traffic selector needs to permit the DHCP request through and a DHCP
> server or relay needs to be run locally.
> This
The traffic selector needs to permit the DHCP request through and a DHCP server
or relay needs to be run locally.
This is absolutely no problem, other people already set this up and made it
work.
On 04.05.2018 15:21, Tom Rymes wrote:
> It's designed for a very specific use case, but if you
It's designed for a very specific use case, but if you install it in a
sandbox somewhere, you can get a feel for the powershell scripts and
other bits that are used to configure the clients.
It's all wrapped around Strongswan, so you can transfer the
functionality to your own setup, if you
We are working with very locked down systems so wouldn’t be able to install
that software unfortunately but will have a look out of interest,
Thanks
> On 4 May 2018, at 13:15, Tom Rymes wrote:
>
>> On 05/04/2018 3:45 AM, Christian Salway wrote:
>> Thanks to Dirk Hartmann and
On 05/04/2018 3:45 AM, Christian Salway wrote:
Thanks to Dirk Hartmann and his scripting idea, The simplest way to add
a VPN connection to Windows 10 that includes the routing to the internal
IP, is by running the following commands in PowerShell commands. This
also enables strong ciphers
Thanks to Dirk Hartmann and his scripting idea, The simplest way to add a VPN
connection to Windows 10 that includes the routing to the internal IP, is by
running the following commands in PowerShell commands. This also enables
strong ciphers (MODP2048)
This is for a username/password VPN
Still working on this issue so a quick morning update.
I've figured that in the request IKE_AUTH is the client telling strongSwan what
it supports as "information".
# Win10 supports ADDR(1) DNS(3) NBNS(4) SRV ADDR6(8) DNS6(10) SRV6
# OSX supports ADDR DHCP(6) DNS MASK(2) ADDR6
To: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting>
>> Cc: users@lists.strongswan.org
>> Subject: Re: [strongSwan] DHCP!
>>
>> So what is the purpose of the dhcp plugin then?
>>
>>
>>> On 3 May 2018, at 18:52, Noel Kuntze
>&g
018 4:27 PM
> To: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting>
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] DHCP!
>
> So what is the purpose of the dhcp plugin then?
>
>
>> On 3 May 2018, at 18:52, Noel Kuntze
>>
:27 PM
To: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting>
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] DHCP!
So what is the purpose of the dhcp plugin then?
> On 3 May 2018, at 18:52, Noel Kuntze
> <noel.kuntze+strongswan-users-ml@thermi.consulting&
So what is the purpose of the dhcp plugin then?
> On 3 May 2018, at 18:52, Noel Kuntze
> wrote:
>
> The dhcp plugin or generally strongSwan has nothing to do with that.
> Windows itself is supposed to make a DHCP request over the established
The dhcp plugin or generally strongSwan has nothing to do with that.
Windows itself is supposed to make a DHCP request over the established tunnel.
Check what it sends with wireshark or tcpdump.
Use the information from the CorrectTrafficDump[1] page.
[1]
I have noticed that Windows 10 is not asking for DHCP though
May 3 16:55:37 ip-10-0-5-202 charon-systemd[30549]: parsed IKE_AUTH request 1
[ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Where as OSX is
May 3 16:53:07 ip-10-0-5-202 charon-systemd[30505]:
Hi,
I've been trying to fix the (lack of) routing passed on to Windows 10 by trying
the DHCP answer found at Split-routing-on-Windows-10-and-Windows-10-Mobile [1]
but I cant get the DHCP to work. strongSwan doesnt make any requests to it.
I have installed and configured dnsmasq with just the
On 03/06/18 10:42, Tobias Brunner wrote:
Hi Harald,
Question is, how can I tell charon's dhcp plugin to forward either
the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity
Hi Harald,
>>> Question is, how can I tell charon's dhcp plugin to forward either
>>> the FQDN or the CN from the DN entry in the dhcp request?
>>
>> You can't, the plugin simply uses the client's (IKE or EAP) identity, so
>> it's up to the client to use the identity you want to see on the
On 03/06/18 10:32, Tobias Brunner wrote:
Hi Harald,
Question is, how can I tell charon's dhcp plugin to forward either
the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity
Hi Harald,
> Question is, how can I tell charon's dhcp plugin to forward either
> the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity you want to see on the server.
Regards,
Hi folks,
Setup: road warrior, strongswan 5.6.2 on both peers, the gateway
runs dnsmasq to manage an IP address pool and DNS.
Problem: charon-nm seems to forwards the DN from the certificate
as the identifier. Apparently charon on the peer seems to ignore
the FQDN from the certificate's DNS
> On 2017-01-25 02:09, Yudi V wrote:
>
>
>
> On Wed, Jan 25, 2017 at 4:27 AM, Dusan Ilic wrote:
>
>> Hello Nikola,
>>
>> Well, br0 is the local LAN interface on the gateway and the local LAN IP
>> of the gateway (also DHCP-server) is 10.1.1.1.
>> So in the network 10.1.1.0/26,
On Wed, Jan 25, 2017 at 4:27 AM, Dusan Ilic wrote:
> Hello Nikola,
>
> Well, br0 is the local LAN interface on the gateway and the local LAN IP
> of the gateway (also DHCP-server) is 10.1.1.1.
> So in the network 10.1.1.0/26, 10.1.1.63 is the local broadcast address.
>
>
>
> On
Spot on, I had some special iptable rules that inadvertetly blocked this return
traffic, in combination with only running Charon on public interfaces. After
removing the rule and enabling Charon on br0 it all started to work.
Thank you.
However, now I'm experiencing a new problem. After a
On 24.01.2017 00:17, Nikola Kolev wrote:
> configured that way? Is that one and the same interface (with 10.1.1.1
> on br0)? What is the reason of having a network broadcast IP address set
> on a host?
It's not installed on any host.
>
> I would focus on either running dnsmasq with full debug
Hi,
Maybe I'm misreading the bits you posted, but why would you have your
> # DHCP server unicast or broadcast IP address.
> server = 10.1.1.63
configured that way? Is that one and the same interface (with 10.1.1.1
on br0)? What is the reason of having a network broadcast IP address
Hello,
I have a problem with the DHCP plugin.
I have Strongswan and DNSmasq on the same host (my Linux gateway) and
would like to issue IP adress from local LAN to remote access users,
however, I cant get it working. In the logging I can see Strongswan
sending DHCP Discover, and DNSmasq
Hello,
I have a problem with the DHCP plugin.
I have Strongswan and DNSmasq on the same host (my Linux gateway) and
would like to issue IP adress from local LAN to remote access users,
however, I cant get it working. In the logging I can see Strongswan
sending DHCP Discover, and DNSmasq
On 23.01.2017 01:46, Dusan Ilic wrote:
> Thanks, I have already read it and configured according to those instructions
> but without any success.
>
> To me it seems to be the issue that the DHCP server is sending the offer to
> its own IP, because Strongswan is also using that IP.
Well, make
Hi,
Thanks, I have already read it and configured according to those instructions
but without any success.
To me it seems to be the issue that the DHCP server is sending the offer to its
own IP, because Strongswan is also using that IP.
Noel Kuntze skrev
>On 22.01.2017 22:33, Dusan
On 22.01.2017 22:33, Dusan Ilic wrote:
> dhcp {
>
> # Always use the configured server address.
> force_server_address = yes
>
> # Derive user-defined MAC address from hash of IKE identity.
> # identity_lease = yes
>
> # Interface name the plugin uses for address
Hello,
I have a problem with the DHCP plugin.
I have Strongswan and DNSmasq on the same host (my Linux gateway) and
would like to issue IP adress from local LAN to remote access users,
however, I cant get it working. In the logging I can see Strongswan
sending DHCP Discover, and DNSmasq
Hi Harald,
> if I migrate the road warriors from IKEv1 to IKEv2, then
> they get new mac addresses (using identity_lease = yes in
> dhcp.conf).
Is that the only thing you changed? Same strongSwan version?
> Each road warrior has kept his certificate and his ID
> (AFAICT), so I wonder if missed
Hi folks,
if I migrate the road warriors from IKEv1 to IKEv2, then
they get new mac addresses (using identity_lease = yes in
dhcp.conf). This breaks their dhcp lease, and we have to
register the new mac addresses in the dhcp server
configuration for mac-based access control.
Each road warrior
On 04/11/16 16:24, Harald Dunkel wrote:
> Hi folks,
>
> Using IKEv2 to connect to MacOS 10.11.4:
>
PS: Sorry, this was misleading. Its a road warrior scenario
between a few MacOS laptops and a central strongswan
installation using IKEv2. The connections are initiated
only by the laptops.
Good Day Tobias,
Thank you for the response. A little update. I was able to resolve the "DHCP
storm” issue by eliminating the rightsubnet declaration.
I did notice that if leftsubnet was NOT everything (0.0.0.0/0), the client
would not pick up the DNS server from the strongSwan peer. Perhaps
Hi Dan,
> I am configuring my strongSwan instance on Debian Wheezy for a single
> road warrior to be able to connect via IKEv2. It works, but whenever
> I establish the tunnel from the remote client, the Debian instance
> floods the network with DHCP lease requests.
What client are you using?
Good Day All,
I am configuring my strongSwan instance on Debian Wheezy for a single road
warrior to be able to connect via IKEv2. It works, but whenever I establish the
tunnel from the remote client, the Debian instance floods the network with DHCP
lease requests. Destroy the connection and
I'm trying to understand what is meant by this:
A new plugin called farp fakes ARP responses for virtual IP addresses
handed out to clients from the IKEv2 daemon charon. The plugin lets a
road-warrior act as a client on the local LAN if it uses a virtual IP
from the responders subnet, e.g.
I can be wrong, but I still try to respond :)
IMHO without this farp you should create separate address pool
for roadwarriors and implement some routing (L3) leading to this pool.
With farp you can assign roadwarriors with IP addresses from your
internal corporate network. If any station on
Hi Andreas,
On 03/19/14 17:31, Andreas Steffen wrote:
Hi Harri,
the MAC address does not change if the new certificate
has the same subjectDistinguishedName or subjectAlternativeName
chosen as the IKEv2 ID.
As an alternative you could explicitly register the client IKEv2 ID
as a
Hi folks,
I have to restrict the IP address pool of my DHCP server to
known MAC addresses only. In this context I have 2 questions
about the dhcp plugin (using identity_lease = yes):
Wiki says, the mac address is derived from the IKEv2 identity.
Does this mean the mac address changes, if I renew
Hi Harri,
the MAC address does not change if the new certificate
has the same subjectDistinguishedName or subjectAlternativeName
chosen as the IKEv2 ID.
As an alternative you could explicitly register the client IKEv2 ID
as a dhcp-client-identifier attribute with your DHCP server
as in the
Hello,
Is it possible to use a local DHCP server within the same IPSec Server to
get IP address for remote rw ?
If yes please suggest me a way to hide my local DHCP server from other
devices on lan.
Thanks
___
Users mailing list
On 01/06/2014 07:29 AM, vivek singh wrote:
Hello,
Is it possible to use a local DHCP server within the same IPSec Server to
get IP address for remote rw ?
If yes please suggest me a way to hide my local DHCP server from other
devices on lan.
Hi Vivek,
isn't a memory based IP address
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Jean-Marc,
This isn't possible as the DHCP-plugin uses DHCP on the LAN, the strongSwan box
is connected to, to negotiate the IP.
That means, that it uses DHCP DISCOVER messages to discover available DHCP
servers on the network and then
Hello,
Is it possible to have one DHCP server per connection ?
For example :
- use dhcp.local1.net server for conn local1-net and
- use dhcp.local2.net for conn local2-net
Jean-Marc
___
Users mailing list
Users@lists.strongswan.org
On 13/02/13 12:40, Martin Willi wrote:
Hi,
the DHCP Request’s Client Identifier field is set to the DER ASN1 DN
identifier of the client. I expected to see the FQDN in this field so
that it could be used for pre-configured static assignment in the DHCP
server’s configuration file.
The
Hi,
The Android client authenticates itself with the certificate subject
when using certificate authentication, wich is a full Distinguished
Name.
@Tobias, there is currently no way to change that, right?
No, the app currently does not provide an option to change the identity.
Regards,
Hello,
I am using the DHCP plugin to supply an address to my Android(4.1)
strongSwan VPN Client that connects to a strongSwan(4.5.2)server with
IKEv2. I want the DHCP server to statically assign IP addresses based on
the client's FQDN. The FQDN is used as the CN in client's certificate and
as the
[mailto:andreas.stef...@strongswan.org]
Sent: Monday, May 23, 2011 12:10 PM
To: Marwil, Mark-P63354
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] DHCP over IPsec
Hi Mark,
strongSwan as a client does not support DHCP-over-IPsec as defined
by RFC 3456, although we introduced the left|rightprotoport
) to ExternalUsers
(172.17.1.11) and viceversa.
4- Do some more traffic, let's say VNC.
Carlos.
--- El sáb 10-oct-09, Daniel Mentz danielml+mailinglists.strongs...@sent.com
escribió:
De: Daniel Mentz danielml+mailinglists.strongs...@sent.com
Asunto: Re: [strongSwan] DHCP/Any Traffic over
Hi all,
I am new to VPN and I am commited to create a solution on the company I work
with, but it must be based on Opensource, I did some googling and I found out
strongswang which looks interesting and the VPN server can be accessed from any
device (ex, linksys or dlink with vpn support).
You must define a connection entry for each user since the
IKEv1 pluto daemon does not support address pools:
conn %default
right=%any
auto=add
conn alice
rightid=al...@strongswan.org
rightsourceip=10.3.0.1
conn bob
rightid=...@strongswan.org
62 matches
Mail list logo