[strongSwan] DHCP server per connection

Hello, We would like to know if it is possible to declare several configuration for the dhcp plugin? The goal is to have a subnet per connection. Each connection would have its specific DHCP server (e.g. Microsoft DHCP server or ISC DHCP). The IP addresses of the clients would be distributed by

Re: [strongSwan] dhcp plugin, isc-dhcp vs dnsmasq

On 1/16/19 9:38 AM, Harald Dunkel wrote: Hi folks, attached you can find charon's and dnsmasq's log files (running on the same hardware). Strongswan's dhcp plugin sends out the DHCPDISCOVER at 10:48:07. dnsmasq seems to wake up somehow (there is a log file entry), but at 10:48:10 it finally

Re: [strongSwan] dhcp plugin, isc-dhcp vs dnsmasq

Hi folks, attached you can find charon's and dnsmasq's log files (running on the same hardware). Hope this helps Harri Jan 14 10:48:07 12[NET] <43> received packet: from 192.168.1.13[61985] to 192.168.1.209[500] (1256 bytes) Jan 14 10:48:07 12[ENC] <43> parsed IKE_SA_INIT request 0 [ SA KE No

[strongSwan] dhcp plugin, isc-dhcp vs dnsmasq

On 1/14/19 5:12 AM, Harald Dunkel wrote: > Hi folks, > > using isc-dhcp-server 4.3.5 on the peer network my laptop takes just > a second to establish an IPsec connection (dhcp plugin involved, of > course). Using dnsmasq 2.80 it takes at least 3 seconds, maybe 4. > > Can anybody reproduce this

[strongSwan] dhcp plugin, isc-dhcp vs dnsmasq

Hi folks, using isc-dhcp-server 4.3.5 on the peer network my laptop takes just a second to establish an IPsec connection (dhcp plugin involved, of course). Using dnsmasq 2.80 it takes at least 3 seconds, maybe 4. Can anybody reproduce this disadvantage of dnsmasq over isc-dhcp? Do you think it

Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

Tobias Brunner writes: >> only something like (I have had no debug): >> 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP >> DISCOVER to 192.168.200.200 >> 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP >> OFFER %any from 192.168.200.200 >>

Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

> only something like (I have had no debug): > 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP > DISCOVER to 192.168.200.200 > 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP > OFFER %any from 192.168.200.200 > 2018-10-14T19:27:57.324271+02:00

Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

Tobias Brunner writes: > Hi Kamil, > >> and received dhcp-ack. >> And ... again send dhcp-request, received dhcp-ack, and we end with >> infinite loop. > > Do you have the strongSwan log that goes with this? And what strongSwan > and FreeRADIUS versions are you using? only something like (I

Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

Hi Kamil, > and received dhcp-ack. > And ... again send dhcp-request, received dhcp-ack, and we end with > infinite loop. Do you have the strongSwan log that goes with this? And what strongSwan and FreeRADIUS versions are you using? > Now I (temporarily) configure dhcp server not to send offer

[strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

Disclaimer: I do not know if it is bug or feature, and what should be changed: freeradius or dhcp plugin. I have configured dhcp plugin: --8<---cut here---start->8--- dhcp { force_server_address = yes identity_lease = yes interface = eth0

Re: [strongSwan] DHCP!

Hi Noel, Do you have an example configuration for swanctl/vici? C > On 5 May 2018, at 11:01, Noel Kuntze > wrote: > > The traffic selector needs to permit the DHCP request through and a DHCP > server or relay needs to be run locally. > This

Re: [strongSwan] DHCP!

The traffic selector needs to permit the DHCP request through and a DHCP server or relay needs to be run locally. This is absolutely no problem, other people already set this up and made it work. On 04.05.2018 15:21, Tom Rymes wrote: > It's designed for a very specific use case, but if you

Re: [strongSwan] DHCP!

It's designed for a very specific use case, but if you install it in a sandbox somewhere, you can get a feel for the powershell scripts and other bits that are used to configure the clients. It's all wrapped around Strongswan, so you can transfer the functionality to your own setup, if you

Re: [strongSwan] DHCP!

We are working with very locked down systems so wouldn’t be able to install that software unfortunately but will have a look out of interest, Thanks > On 4 May 2018, at 13:15, Tom Rymes wrote: > >> On 05/04/2018 3:45 AM, Christian Salway wrote: >> Thanks to Dirk Hartmann and

Re: [strongSwan] DHCP!

On 05/04/2018 3:45 AM, Christian Salway wrote: Thanks to Dirk Hartmann and his scripting idea,  The simplest way to add a VPN connection to Windows 10 that includes the routing to the internal IP, is by running the following commands in PowerShell commands.  This also enables strong ciphers

Re: [strongSwan] DHCP!

Thanks to Dirk Hartmann and his scripting idea, The simplest way to add a VPN connection to Windows 10 that includes the routing to the internal IP, is by running the following commands in PowerShell commands. This also enables strong ciphers (MODP2048) This is for a username/password VPN

Re: [strongSwan] DHCP!

Still working on this issue so a quick morning update. I've figured that in the request IKE_AUTH is the client telling strongSwan what it supports as "information". # Win10 supports ADDR(1) DNS(3) NBNS(4) SRV ADDR6(8) DNS6(10) SRV6 # OSX supports ADDR DHCP(6) DNS MASK(2) ADDR6

Re: [strongSwan] DHCP!

To: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> >> Cc: users@lists.strongswan.org >> Subject: Re: [strongSwan] DHCP! >> >> So what is the purpose of the dhcp plugin then? >> >> >>> On 3 May 2018, at 18:52, Noel Kuntze >&g

Re: [strongSwan] DHCP!

018 4:27 PM > To: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] DHCP! > > So what is the purpose of the dhcp plugin then? > > >> On 3 May 2018, at 18:52, Noel Kuntze >>

Re: [strongSwan] DHCP!

:27 PM To: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> Cc: users@lists.strongswan.org Subject: Re: [strongSwan] DHCP! So what is the purpose of the dhcp plugin then? > On 3 May 2018, at 18:52, Noel Kuntze > <noel.kuntze+strongswan-users-ml@thermi.consulting&

Re: [strongSwan] DHCP!

So what is the purpose of the dhcp plugin then? > On 3 May 2018, at 18:52, Noel Kuntze > wrote: > > The dhcp plugin or generally strongSwan has nothing to do with that. > Windows itself is supposed to make a DHCP request over the established

Re: [strongSwan] DHCP!

The dhcp plugin or generally strongSwan has nothing to do with that. Windows itself is supposed to make a DHCP request over the established tunnel. Check what it sends with wireshark or tcpdump. Use the information from the CorrectTrafficDump[1] page. [1]

Re: [strongSwan] DHCP!

I have noticed that Windows 10 is not asking for DHCP though May 3 16:55:37 ip-10-0-5-202 charon-systemd[30549]: parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Where as OSX is May 3 16:53:07 ip-10-0-5-202 charon-systemd[30505]:

[strongSwan] DHCP!

Hi, I've been trying to fix the (lack of) routing passed on to Windows 10 by trying the DHCP answer found at Split-routing-on-Windows-10-and-Windows-10-Mobile [1] but I cant get the DHCP to work. strongSwan doesnt make any requests to it. I have installed and configured dnsmasq with just the

Re: [strongSwan] dhcp plugin using CN or FQDN as the client host name?

On 03/06/18 10:42, Tobias Brunner wrote: Hi Harald, Question is, how can I tell charon's dhcp plugin to forward either the FQDN or the CN from the DN entry in the dhcp request? You can't, the plugin simply uses the client's (IKE or EAP) identity, so it's up to the client to use the identity

Re: [strongSwan] dhcp plugin using CN or FQDN as the client host name?

Hi Harald, >>> Question is, how can I tell charon's dhcp plugin to forward either >>> the FQDN or the CN from the DN entry in the dhcp request? >> >> You can't, the plugin simply uses the client's (IKE or EAP) identity, so >> it's up to the client to use the identity you want to see on the

Re: [strongSwan] dhcp plugin using CN or FQDN as the client host name?

On 03/06/18 10:32, Tobias Brunner wrote: Hi Harald, Question is, how can I tell charon's dhcp plugin to forward either the FQDN or the CN from the DN entry in the dhcp request? You can't, the plugin simply uses the client's (IKE or EAP) identity, so it's up to the client to use the identity

Re: [strongSwan] dhcp plugin using CN or FQDN as the client host name?

Hi Harald, > Question is, how can I tell charon's dhcp plugin to forward either > the FQDN or the CN from the DN entry in the dhcp request? You can't, the plugin simply uses the client's (IKE or EAP) identity, so it's up to the client to use the identity you want to see on the server. Regards,

[strongSwan] dhcp plugin using CN or FQDN as the client host name?

Hi folks, Setup: road warrior, strongswan 5.6.2 on both peers, the gateway runs dnsmasq to manage an IP address pool and DNS. Problem: charon-nm seems to forwards the DN from the certificate as the identifier. Apparently charon on the peer seems to ignore the FQDN from the certificate's DNS

Re: [strongSwan] DHCP plugin

> On 2017-01-25 02:09, Yudi V wrote: > > > > On Wed, Jan 25, 2017 at 4:27 AM, Dusan Ilic wrote: > >> Hello Nikola, >> >> Well, br0 is the local LAN interface on the gateway and the local LAN IP >> of the gateway (also DHCP-server) is 10.1.1.1. >> So in the network 10.1.1.0/26,

Re: [strongSwan] DHCP plugin

On Wed, Jan 25, 2017 at 4:27 AM, Dusan Ilic wrote: > Hello Nikola, > > Well, br0 is the local LAN interface on the gateway and the local LAN IP > of the gateway (also DHCP-server) is 10.1.1.1. > So in the network 10.1.1.0/26, 10.1.1.63 is the local broadcast address. > > > > On

Re: [strongSwan] DHCP plugin

Spot on, I had some special iptable rules that inadvertetly blocked this return traffic, in combination with only running Charon on public interfaces. After removing the rule and enabling Charon on br0 it all started to work. Thank you. However, now I'm experiencing a new problem. After a

Re: [strongSwan] DHCP plugin

On 24.01.2017 00:17, Nikola Kolev wrote: > configured that way? Is that one and the same interface (with 10.1.1.1 > on br0)? What is the reason of having a network broadcast IP address set > on a host? It's not installed on any host. > > I would focus on either running dnsmasq with full debug

Re: [strongSwan] DHCP plugin

Hi, Maybe I'm misreading the bits you posted, but why would you have your > # DHCP server unicast or broadcast IP address. > server = 10.1.1.63 configured that way? Is that one and the same interface (with 10.1.1.1 on br0)? What is the reason of having a network broadcast IP address

[strongSwan] DHCP plugin

Hello, I have a problem with the DHCP plugin. I have Strongswan and DNSmasq on the same host (my Linux gateway) and would like to issue IP adress from local LAN to remote access users, however, I cant get it working. In the logging I can see Strongswan sending DHCP Discover, and DNSmasq

[strongSwan] DHCP plugin

Hello, I have a problem with the DHCP plugin. I have Strongswan and DNSmasq on the same host (my Linux gateway) and would like to issue IP adress from local LAN to remote access users, however, I cant get it working. In the logging I can see Strongswan sending DHCP Discover, and DNSmasq

Re: [strongSwan] DHCP plugin

On 23.01.2017 01:46, Dusan Ilic wrote: > Thanks, I have already read it and configured according to those instructions > but without any success. > > To me it seems to be the issue that the DHCP server is sending the offer to > its own IP, because Strongswan is also using that IP. Well, make

Re: [strongSwan] DHCP plugin

Hi, Thanks, I have already read it and configured according to those instructions but without any success. To me it seems to be the issue that the DHCP server is sending the offer to its own IP, because Strongswan is also using that IP. Noel Kuntze skrev >On 22.01.2017 22:33, Dusan

Re: [strongSwan] DHCP plugin

On 22.01.2017 22:33, Dusan Ilic wrote: > dhcp { > > # Always use the configured server address. > force_server_address = yes > > # Derive user-defined MAC address from hash of IKE identity. > # identity_lease = yes > > # Interface name the plugin uses for address

[strongSwan] DHCP plugin

Hello, I have a problem with the DHCP plugin. I have Strongswan and DNSmasq on the same host (my Linux gateway) and would like to issue IP adress from local LAN to remote access users, however, I cant get it working. In the logging I can see Strongswan sending DHCP Discover, and DNSmasq

Re: [strongSwan] dhcp plugin: migration from IKEv1 to IKEv2 breaks dhcp leases

Hi Harald, > if I migrate the road warriors from IKEv1 to IKEv2, then > they get new mac addresses (using identity_lease = yes in > dhcp.conf). Is that the only thing you changed? Same strongSwan version? > Each road warrior has kept his certificate and his ID > (AFAICT), so I wonder if missed

[strongSwan] dhcp plugin: migration from IKEv1 to IKEv2 breaks dhcp leases

Hi folks, if I migrate the road warriors from IKEv1 to IKEv2, then they get new mac addresses (using identity_lease = yes in dhcp.conf). This breaks their dhcp lease, and we have to register the new mac addresses in the dhcp server configuration for mac-based access control. Each road warrior

Re: [strongSwan] dhcp plugin: how to verify dhcp options forwarded to road warrior?

On 04/11/16 16:24, Harald Dunkel wrote: > Hi folks, > > Using IKEv2 to connect to MacOS 10.11.4: > PS: Sorry, this was misleading. Its a road warrior scenario between a few MacOS laptops and a central strongswan installation using IKEv2. The connections are initiated only by the laptops.

Re: [strongSwan] DHCP flood

Good Day Tobias, Thank you for the response. A little update. I was able to resolve the "DHCP storm” issue by eliminating the rightsubnet declaration. I did notice that if leftsubnet was NOT everything (0.0.0.0/0), the client would not pick up the DNS server from the strongSwan peer. Perhaps

Re: [strongSwan] DHCP flood

Hi Dan, > I am configuring my strongSwan instance on Debian Wheezy for a single > road warrior to be able to connect via IKEv2. It works, but whenever > I establish the tunnel from the remote client, the Debian instance > floods the network with DHCP lease requests. What client are you using?

[strongSwan] DHCP flood

Good Day All, I am configuring my strongSwan instance on Debian Wheezy for a single road warrior to be able to connect via IKEv2. It works, but whenever I establish the tunnel from the remote client, the Debian instance floods the network with DHCP lease requests. Destroy the connection and

[strongSwan] dhcp/farp plugins

I'm trying to understand what is meant by this: A new plugin called farp fakes ARP responses for virtual IP addresses handed out to clients from the IKEv2 daemon charon. The plugin lets a road-warrior act as a client on the local LAN if it uses a virtual IP from the responders subnet, e.g.

Re: [strongSwan] dhcp/farp plugins

I can be wrong, but I still try to respond :) IMHO without this farp you should create separate address pool for roadwarriors and implement some routing (L3) leading to this pool. With farp you can assign roadwarriors with IP addresses from your internal corporate network. If any station on

Re: [strongSwan] dhcp plugin: mac address unpredictable?

Hi Andreas, On 03/19/14 17:31, Andreas Steffen wrote: Hi Harri, the MAC address does not change if the new certificate has the same subjectDistinguishedName or subjectAlternativeName chosen as the IKEv2 ID. As an alternative you could explicitly register the client IKEv2 ID as a

[strongSwan] dhcp plugin: mac address unpredictable?

Hi folks, I have to restrict the IP address pool of my DHCP server to known MAC addresses only. In this context I have 2 questions about the dhcp plugin (using identity_lease = yes): Wiki says, the mac address is derived from the IKEv2 identity. Does this mean the mac address changes, if I renew

Re: [strongSwan] dhcp plugin: mac address unpredictable?

Hi Harri, the MAC address does not change if the new certificate has the same subjectDistinguishedName or subjectAlternativeName chosen as the IKEv2 ID. As an alternative you could explicitly register the client IKEv2 ID as a dhcp-client-identifier attribute with your DHCP server as in the

[strongSwan] StrongSwan: DHCP server configuration

Hello, Is it possible to use a local DHCP server within the same IPSec Server to get IP address for remote rw ? If yes please suggest me a way to hide my local DHCP server from other devices on lan. Thanks ___ Users mailing list

Re: [strongSwan] StrongSwan: DHCP server configuration

On 01/06/2014 07:29 AM, vivek singh wrote: Hello, Is it possible to use a local DHCP server within the same IPSec Server to get IP address for remote rw ? If yes please suggest me a way to hide my local DHCP server from other devices on lan. Hi Vivek, isn't a memory based IP address

Re: [strongSwan] DHCP question

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Jean-Marc, This isn't possible as the DHCP-plugin uses DHCP on the LAN, the strongSwan box is connected to, to negotiate the IP. That means, that it uses DHCP DISCOVER messages to discover available DHCP servers on the network and then

[strongSwan] DHCP question

Hello, Is it possible to have one DHCP server per connection ? For example : - use dhcp.local1.net server for conn local1-net and - use dhcp.local2.net for conn local2-net Jean-Marc ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] DHCP plugin static client id wrong format

On 13/02/13 12:40, Martin Willi wrote: Hi, the DHCP Request’s Client Identifier field is set to the DER ASN1 DN identifier of the client. I expected to see the FQDN in this field so that it could be used for pre-configured static assignment in the DHCP server’s configuration file. The

Re: [strongSwan] DHCP plugin static client id wrong format

Hi, The Android client authenticates itself with the certificate subject when using certificate authentication, wich is a full Distinguished Name. @Tobias, there is currently no way to change that, right? No, the app currently does not provide an option to change the identity. Regards,

[strongSwan] DHCP plugin static client id wrong format

Hello, I am using the DHCP plugin to supply an address to my Android(4.1) strongSwan VPN Client that connects to a strongSwan(4.5.2)server with IKEv2. I want the DHCP server to statically assign IP addresses based on the client's FQDN. The FQDN is used as the CN in client's certificate and as the

Re: [strongSwan] DHCP over IPsec

[mailto:andreas.stef...@strongswan.org] Sent: Monday, May 23, 2011 12:10 PM To: Marwil, Mark-P63354 Cc: users@lists.strongswan.org Subject: Re: [strongSwan] DHCP over IPsec Hi Mark, strongSwan as a client does not support DHCP-over-IPsec as defined by RFC 3456, although we introduced the left|rightprotoport

Re: [strongSwan] DHCP/Any Traffic over an established VPN tunnel

) to ExternalUsers (172.17.1.11) and viceversa. 4- Do some more traffic, let's say VNC. Carlos. --- El sáb 10-oct-09, Daniel Mentz danielml+mailinglists.strongs...@sent.com escribió: De: Daniel Mentz danielml+mailinglists.strongs...@sent.com Asunto: Re: [strongSwan] DHCP/Any Traffic over

[strongSwan] DHCP/Any Traffic over an established VPN tunnel

Hi all, I am new to VPN and I am commited to create a solution on the company I work with, but it must be based on Opensource, I did some googling and I found out strongswang which looks interesting and the VPN server can be accessed from any device (ex, linksys or dlink with vpn support).

Re: [strongSwan] dhcp / ip pool

You must define a connection entry for each user since the IKEv1 pluto daemon does not support address pools: conn %default right=%any auto=add conn alice rightid=al...@strongswan.org rightsourceip=10.3.0.1 conn bob rightid=...@strongswan.org