Hi,
I've been trying to fix the (lack of) routing passed on to Windows 10 by trying
the DHCP answer found at Split-routing-on-Windows-10-and-Windows-10-Mobile [1]
but I cant get the DHCP to work. strongSwan doesnt make any requests to it.
I have installed and configured dnsmasq with just the options in the support
guide and dnsmasq is listening on tcp port 53 (DNS) and 67 (DHCP).
I have rebuilt strongswan with dhcp support.
$ /etc/dnsmasq.conf
dhcp-vendorclass=set:msipsec,MSFT 5.0
dhcp-range=tag:msipsec,192.168.103.0,static
dhcp-option=tag:msipsec,6
dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0
$ netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
29951/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1143/sshd
tcp6 0 0 :::53 :::* LISTEN
29951/dnsmasq
tcp6 0 0 :::22 :::* LISTEN
1143/sshd
udp 0 0 0.0.0.0:4500 0.0.0.0:*
30147/charon-system
udp 0 0 0.0.0.0:500 0.0.0.0:*
30147/charon-system
udp 0 0 0.0.0.0:53 0.0.0.0:*
29951/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:*
29951/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:*
30147/charon-system
udp 0 0 0.0.0.0:68 0.0.0.0:*
1005/dhclient
udp6 0 0 :::4500 :::*
30147/charon-system
udp6 0 0 :::500 :::*
30147/charon-system
udp6 0 0 :::53 :::*
29951/dnsmasq
$ swanctl --stats
...
loaded plugins: charon-systemd charon-systemd aes openssl des rc2 sha2 sha1 md4
md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac gcm curl
attr kernel-netlink resolve socket-default vici updown eap-identity
eap-mschapv2 eap-dynamic eap-tls xauth-generic dhcp
$ /etc/strongswan.d/charon/dhcp.conf
dhcp {
force_server_address = yes
load = yes
server = 10.0.15.255
}
$ /etc/swanctl/conf.d/policy.conf
connections {
clients {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-modp2048-modp1024
pools = pool1
local {
id = vpnserver
certs = vpnserver.crt
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
net {
local_ts = 10.0.0.0/20
}
}
}
}
pools {
pool1 {
addrs = 172.16.0.0/12
subnet = 10.0.0.0/18
dhcp = 10.0.5.202
}
}
The route I would expect to see on Windows 10 should simulate
route ADD 10.0.0.0 MASK 255.255.240.0 172.16.0.X
The connection log
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: IKE_SA rsa[1] established
between 10.0.5.202[vpnserver1]...148.252.225.26[192.168.1.31]
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: scheduling rekeying in
13750s
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: maximum IKE_SA lifetime
15190s
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual IP
%any
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning new lease to
'christian.salway.naimuri.com'
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning virtual IP
172.16.0.1 to peer 'christian.salway.naimuri.com'
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual IP
%any6
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: no virtual IP found for
%any6 requested by 'christian.salway.naimuri.com'
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: CHILD_SA net{1}
established with SPIs cac7b9af_i 02fc4cb2_o and TS 10.0.0.0/18 === 172.16.0.1/32
May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: generating IKE_AUTH
response 5 [ AUTH CPRP(ADDR SUBNET DHCP) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) ]
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Split-routing-on-Windows-10-and-Windows-10-Mobile
<https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Split-routing-on-Windows-10-and-Windows-10-Mobile>
