I have literally tried all the dhcp dns subnet attr, options I can find and I can’t get SS to get the dhcp from dnsmasq nor the clients.
> On 3 May 2018, at 21:39, Christian Salway <[email protected]> > wrote: > > @Thor - ok. so in your professional capacity, would you say there is no way > strongSwan can fix the Windows 10 issue of not adding a route when it > connects? > > >> On 3 May 2018, at 21:31, Thor Simon <[email protected]> wrote: >> >> If you would like to supply addresses to your clients via IKE Mode Config, >> the DHCP plugin is one means by which StrongSwan can obtain those addresses. >> >> -----Original Message----- >> From: Users <[email protected]> On Behalf Of Christian >> Salway >> Sent: Thursday, May 3, 2018 4:27 PM >> To: Noel Kuntze <[email protected]> >> Cc: [email protected] >> Subject: Re: [strongSwan] DHCP! >> >> So what is the purpose of the dhcp plugin then? >> >> >>> On 3 May 2018, at 18:52, Noel Kuntze >>> <[email protected]> wrote: >>> >>> The dhcp plugin or generally strongSwan has nothing to do with that. >>> Windows itself is supposed to make a DHCP request over the established >>> tunnel. Check what it sends with wireshark or tcpdump. >>> Use the information from the CorrectTrafficDump[1] page. >>> >>> >>> >>> [1] >>> https://secure-web.cisco.com/1_h6MioB9kRbPuO5b1NQmVwz1nqJkemt__rVJDcQQ >>> GwkgjLSHN9I9JoBZBEcAqjKD_5JA0ERTo8_VfvEFeKJB8dSX07lcvTeBS3AUT65L9TlZde >>> LnjMQ1tT7u2fooVfDiBZH_KQa--YuV0DEqLoHuthVgHmdogOWD5qk7juajhfoBk0ac4NP3 >>> y6GFGZMIpHdgAhdWxnlBSVRIhm2wqLbHNCjnnjo6yF3vAem0DrMfRD0Hh2JIgJNpGOQTSO >>> cOV1Td/https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrongswan%2Fwik >>> i%2FCorrectTrafficDump >>> >>>> On 03.05.2018 18:58, Christian Salway wrote: >>>> I have noticed that Windows 10 is not asking for DHCP though >>>> >>>> May 3 16:55:37 ip-10-0-5-202 charon-systemd[30549]: parsed IKE_AUTH >>>> request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 >>>> DNS6 SRV6) SA TSi TSr ] >>>> >>>> >>>> >>>> Where as OSX is >>>> >>>> May 3 16:53:07 ip-10-0-5-202 charon-systemd[30505]: parsed IKE_AUTH >>>> request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR *DHCP* >>>> DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA >>>> TSi TSr ] >>>> >>>> >>>> >>>> <http://secure-web.cisco.com/120V9LfMi3vtxE-5KjUz6POqa_DjZsebmPiWu-gf >>>> xO92VdCKYyGXPwa2b45TgV8ioDiU8hQxLJulX_e8gv6s2_huFqoLv6i8Dsb2GCAdc-eF8 >>>> XffvE55b-hODoMWYVgaZ1HxjZMxgoE_FIm4W8_fcqb400nhU2NJDK0g-xmbELy5ofDZm2 >>>> XJs1LOU4R8zJk0q861JtaOeyUMofB9Xcgb6HVJHloCiwQHD0hffI6sHpep-sGzj5Ja4Cj >>>> -hWoPlVrbgdshHYrh9sAnjKiyiz0M0RA/http%3A%2F%2Fwww.naimuri.com> >>>> >>>>> On 3 May 2018, at 17:34, Christian Salway <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I've been trying to fix the (lack of) routing passed on to Windows 10 by >>>>> trying the DHCP answer found at >>>>> *Split-routing-on-Windows-10-and-Windows-10-Mobile* [1] but I cant get >>>>> the DHCP to work. strongSwan doesnt make any requests to it. >>>>> >>>>> I have installed and configured dnsmasq with just the options in the >>>>> support guide and dnsmasq is listening on tcp port 53 (DNS) and 67 (DHCP). >>>>> >>>>> I have rebuilt strongswan with dhcp support. >>>>> >>>>> >>>>> *$ /etc/dnsmasq.conf* >>>>> dhcp-vendorclass=set:msipsec,MSFT 5.0 >>>>> dhcp-range=tag:msipsec,192.168.103.0,static >>>>> dhcp-option=tag:msipsec,6 >>>>> dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0 >>>>> >>>>> *$ netstat -tunlp* >>>>> Active Internet connections (only servers) >>>>> Proto Recv-Q Send-Q Local Address Foreign Address State >>>>> PID/Program name >>>>> *tcp 0 0 0.0.0.0:53 0.0.0.0:* >>>>> LISTEN 29951/dnsmasq * >>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* >>>>> LISTEN 1143/sshd >>>>> tcp6 0 0 :::53 :::* >>>>> LISTEN 29951/dnsmasq >>>>> tcp6 0 0 :::22 :::* >>>>> LISTEN 1143/sshd >>>>> udp 0 0 0.0.0.0:4500 0.0.0.0:* >>>>> 30147/charon-system >>>>> udp 0 0 0.0.0.0:500 0.0.0.0:* >>>>> 30147/charon-system >>>>> udp 0 0 0.0.0.0:53 0.0.0.0:* >>>>> 29951/dnsmasq >>>>> *udp 0 0 0.0.0.0:67 0.0.0.0:* >>>>> 29951/dnsmasq * >>>>> udp 0 0 0.0.0.0:68 0.0.0.0:* >>>>> 30147/charon-system >>>>> udp 0 0 0.0.0.0:68 0.0.0.0:* >>>>> 1005/dhclient >>>>> udp6 0 0 :::4500 :::* >>>>> 30147/charon-system >>>>> udp6 0 0 :::500 :::* >>>>> 30147/charon-system >>>>> udp6 0 0 :::53 :::* >>>>> 29951/dnsmasq >>>>> >>>>> >>>>> *$ swanctl --stats* >>>>> ... >>>>> loaded plugins: charon-systemd charon-systemd aes openssl des rc2 >>>>> sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints >>>>> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp >>>>> curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve >>>>> socket-default vici updown eap-identity eap-mschapv2 eap-dynamic >>>>> eap-tls xauth-generic *dhcp* >>>>> >>>>> *$ /etc/strongswan.d/charon/dhcp.conf * dhcp { >>>>> force_server_address = yes >>>>> load = yes >>>>> server = 10.0.15.255 >>>>> } >>>>> >>>>> *$ /etc/swanctl/conf.d/policy.conf* connections { >>>>> clients { >>>>> version = 2 >>>>> send_cert = always >>>>> encap = yes >>>>> unique = replace >>>>> proposals = aes256-sha256-prfsha256-modp2048-modp1024 >>>>> pools = pool1 >>>>> local { >>>>> id = vpnserver >>>>> certs = vpnserver.crt >>>>> } >>>>> remote { >>>>> auth = eap-mschapv2 >>>>> eap_id = %any >>>>> } >>>>> children { >>>>> net { >>>>> local_ts = 10.0.0.0/20 >>>>> } >>>>> } >>>>> } >>>>> } >>>>> pools { >>>>> pool1 { >>>>> addrs = 172.16.0.0/12 >>>>> subnet = 10.0.0.0/18 >>>>> dhcp = 10.0.5.202 >>>>> } >>>>> } >>>>> >>>>> The route I would expect to see on Windows 10 should simulate >>>>> >>>>> *route ADD 10.0.0.0 MASK 255.255.240.0 172.16.0.X* >>>>> >>>>> >>>>> *The connection log * >>>>> >>>>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: IKE_SA rsa[1] >>>>> established between >>>>> 10.0.5.202[vpnserver1]...148.252.225.26[192.168.1.31] >>>>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: scheduling >>>>> rekeying in 13750s May 3 16:27:58 ip-10-0-5-202 >>>>> charon-systemd[30250]: maximum IKE_SA lifetime 15190s May 3 >>>>> 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested virtual IP >>>>> %any May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning new >>>>> lease to 'christian.salway.naimuri.com >>>>> <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>' >>>>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: assigning virtual IP >>>>> 172.16.0.1 to peer 'christian.salway.naimuri.com >>>>> <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>' >>>>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: peer requested >>>>> virtual IP %any6 May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: no >>>>> virtual IP found for %any6 requested by 'christian.salway.naimuri.com >>>>> <http://secure-web.cisco.com/1Yi0OeQn6DNH6kLciMwZ265LSqlcOKczgBrZjGcCgMMFtREQdb-V2MnYt3GbmmvPGy3JgBPwGLu1PILj00Io081AvpITV2pjxWsQq1fkOhowVXrcB_blZvthUm09PVCTV58uHkYA-R8zQSHcxsXaqa7w8yNwPap972zOB3hXWdKOKGEY1Kf1LhkEi-zv9GiBHzGU1oF10bltHd7DJGo-OP1Xp4xmTe1kguxd_bdU2YLbZp8du70LE1JsLDjq05qhs/http%3A%2F%2Fchristian.salway.naimuri.com%2F>' >>>>> May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: CHILD_SA net{1} >>>>> established with SPIs cac7b9af_i 02fc4cb2_o and TS 10.0.0.0/18 === >>>>> 172.16.0.1/32 May 3 16:27:58 ip-10-0-5-202 charon-systemd[30250]: >>>>> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DHCP) SA TSi >>>>> TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] >>>>> >>>>> >>>>> [1] >>>>> https://secure-web.cisco.com/1SoYE_B8oPkYsHXCWLgk0vAhDMGerHeeyGnWSju >>>>> 1ZBYAEuGwEt7dkOyCtxw_U-aLXmfzKLajEyinghQSbAqqArS_s29AErnnlZ-q1Jfgn4n >>>>> wq8SM3Bt2RAj_BhvKXfrW8GuHzZprojk9tKyTuEL-y1AjSjoNBhrXX5FAlrWmmSyge2u >>>>> ybEOiZUIhHM7RTGfDV4aQOeNDbARZZx2OMC28hgLxLlDIWxC8nGdetSb6Jd9Fh3E8aNg >>>>> vd7ZpGh7Vs3inJ/https%3A%2F%2Fwiki.strongswan.org%2Fprojects%2Fstrong >>>>> swan%2Fwiki%2FWindows7#Split-routing-on-Windows-10-and-Windows-10-Mo >>>>> bile >>>> >> >> >
