The dhcp plugin or generally strongSwan has nothing to do with that. Windows itself is supposed to make a DHCP request over the established tunnel. Check what it sends with wireshark or tcpdump. Use the information from the CorrectTrafficDump[1] page.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump On 03.05.2018 18:58, Christian Salway wrote: > I have noticed that Windows 10 is not asking for DHCP though > > May 3 16:55:37 ip-10-0-5-202 charon-systemd[30549]: parsed IKE_AUTH request > 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi > TSr ] > > > > Where as OSX is > > May 3 16:53:07 ip-10-0-5-202 charon-systemd[30505]: parsed IKE_AUTH request > 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR *DHCP* DNS MASK ADDR6 > DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] > > > > <http://www.naimuri.com> > >> On 3 May 2018, at 17:34, Christian Salway <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> I've been trying to fix the (lack of) routing passed on to Windows 10 by >> trying the DHCP answer found at >> *Split-routing-on-Windows-10-and-Windows-10-Mobile* [1] but I cant get the >> DHCP to work. strongSwan doesnt make any requests to it. >> >> I have installed and configured dnsmasq with just the options in the support >> guide and dnsmasq is listening on tcp port 53 (DNS) and 67 (DHCP). >> >> I have rebuilt strongswan with dhcp support. >> >> >> *$ /etc/dnsmasq.conf* >> dhcp-vendorclass=set:msipsec,MSFT 5.0 >> dhcp-range=tag:msipsec,192.168.103.0,static >> dhcp-option=tag:msipsec,6 >> dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0 >> >> *$ netstat -tunlp* >> Active Internet connections (only servers) >> Proto Recv-Q Send-Q Local Address Foreign Address State >> PID/Program name >> *tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN >> 29951/dnsmasq * >> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >> 1143/sshd >> tcp6 0 0 :::53 :::* LISTEN >> 29951/dnsmasq >> tcp6 0 0 :::22 :::* LISTEN >> 1143/sshd >> udp 0 0 0.0.0.0:4500 0.0.0.0:* >> 30147/charon-system >> udp 0 0 0.0.0.0:500 0.0.0.0:* >> 30147/charon-system >> udp 0 0 0.0.0.0:53 0.0.0.0:* >> 29951/dnsmasq >> *udp 0 0 0.0.0.0:67 0.0.0.0:* >> 29951/dnsmasq * >> udp 0 0 0.0.0.0:68 0.0.0.0:* >> 30147/charon-system >> udp 0 0 0.0.0.0:68 0.0.0.0:* >> 1005/dhclient >> udp6 0 0 :::4500 :::* >> 30147/charon-system >> udp6 0 0 :::500 :::* >> 30147/charon-system >> udp6 0 0 :::53 :::* >> 29951/dnsmasq >> >> >> *$ swanctl --stats* >> ... >> loaded plugins: charon-systemd charon-systemd aes openssl des rc2 sha2 sha1 >> md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 >> pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac >> gcm curl attr kernel-netlink resolve socket-default vici updown eap-identity >> eap-mschapv2 eap-dynamic eap-tls xauth-generic *dhcp* >> >> *$ /etc/strongswan.d/charon/dhcp.conf * >> dhcp { >> force_server_address = yes >> load = yes >> server = 10.0.15.255 >> } >> >> *$ /etc/swanctl/conf.d/policy.conf* >> connections { >> clients { >> version = 2 >> send_cert = always >> encap = yes >> unique = replace >> proposals = aes256-sha256-prfsha256-modp2048-modp1024 >> pools = pool1 >> local { >> id = vpnserver >> certs = vpnserver.crt >> } >> remote { >> auth = eap-mschapv2 >> eap_id = %any >> } >> children { >> net { >> local_ts = 10.0.0.0/20 >> } >> } >> } >> } >> pools { >> pool1 { >> addrs = 172.16.0.0/12 >> subnet = 10.0.0.0/18 >> dhcp = 10.0.5.202 >> } >> } >> >> The route I would expect to see on Windows 10 should simulate >> >> *route ADD 10.0.0.0 MASK 255.255.240.0 172.16.0.X* >> >> >> *The connection log * >> >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: IKE_SA rsa[1] >> established between 10.0.5.202[vpnserver1]...148.252.225.26[192.168.1.31] >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: scheduling rekeying in >> 13750s >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: maximum IKE_SA lifetime >> 15190s >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual >> IP %any >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning new lease to >> 'christian.salway.naimuri.com <http://christian.salway.naimuri.com/>' >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning virtual IP >> 172.16.0.1 to peer 'christian.salway.naimuri.com >> <http://christian.salway.naimuri.com/>' >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual >> IP %any6 >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: no virtual IP found for >> %any6 requested by 'christian.salway.naimuri.com >> <http://christian.salway.naimuri.com/>' >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: CHILD_SA net{1} >> established with SPIs cac7b9af_i 02fc4cb2_o and TS 10.0.0.0/18 === >> 172.16.0.1/32 >> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: generating IKE_AUTH >> response 5 [ AUTH CPRP(ADDR SUBNET DHCP) SA TSi TSr N(MOBIKE_SUP) >> N(NO_ADD_ADDR) ] >> >> >> [1] >> https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Split-routing-on-Windows-10-and-Windows-10-Mobile >
signature.asc
Description: OpenPGP digital signature
