So, I've just finished doing that and it's not working
I set up an IP alias because the DHCP wouldnt give out IP addresses unless I
"owned" 172.31.0.x
-----------------------------------------------------------------------------------------------------------------------
#ifconfig eth0:0 172.31.0.1
eth0 Link encap:Ethernet HWaddr 0a:b6:4a:7d:61:a4
inet addr:10.0.1.193 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::8b6:4aff:fe7d:61a4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:127072 errors:0 dropped:0 overruns:0 frame:0
TX packets:76073 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:124506235 (124.5 MB) TX bytes:12274603 (12.2 MB)
eth0:0 Link encap:Ethernet HWaddr 0a:b6:4a:7d:61:a4
inet addr:172.31.0.1 Bcast:172.31.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
-----------------------------------------------------------------------------------------------------------------------
I then installed isc-dhcp-server (had no luck with dnsmasq) and set up the dhcp
config file like so
-----------------------------------------------------------------------------------------------------------------------
option rfc3442-classless-static-routes code 121 = array of integer 8;
option ms-classless-static-routes code 249 = array of integer 8;
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 172.31.0.0 netmask 255.255.255.0 {
range 172.31.0.5 172.31.0.250;
option subnet-mask 255.255.255.0;
option rfc3442-classless-static-routes 24, 192, 168, 123, 10, 10, 10, 1;
option ms-classless-static-routes 24, 192, 168, 123, 10, 10, 10, 1;
}
-----------------------------------------------------------------------------------------------------------------------
and then configured ipsec
-----------------------------------------------------------------------------------------------------------------------
conn %default
ike=aes256-sha256-prfsha256-ecp256-modp2048-modp1024!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
leftfirewall=yes
rightsourceip=172.31.0.0/24
rightid=%any
conn localnet
leftid=localnet
leftsubnet=10.0.0.0/20
rightsourceip=%dhcp
authby=secret
auto=start
-----------------------------------------------------------------------------------------------------------------------
dhcp {
force_server_address = no
identity_lease = no
interface = eth0
load = yes
server = 172.31.255.255
}
-----------------------------------------------------------------------------------------------------------------------
..... which actually assigns IP addresses to clients (HUZZAH)
-----------------------------------------------------------------------------------------------------------------------
07[IKE] peer requested virtual IP %any
07[KNL] using 172.31.0.1 as address to reach 172.31.255.255/32
07[CFG] sending DHCP DISCOVER to 172.31.255.255
10[CFG] received DHCP OFFER 172.31.0.14 from 10.0.1.193
07[KNL] using 172.31.0.1 as address to reach 172.31.255.255/32
07[CFG] sending DHCP REQUEST for 172.31.0.14 to 10.0.1.193
11[CFG] received DHCP ACK for 172.31.0.14
07[IKE] assigning virtual IP 172.31.0.14 to peer '192.168.0.31'
-----------------------------------------------------------------------------------------------------------------------
- not quite, the routes arent passed through to the clients
-----------------------------------------------------------------------------------------------------------------------
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 84 0 en0
10/20 link#6 UCSc 0 0 utun2
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 28 7617856 lo0
169.254 link#6 UCS 0 0 en0
192.168.0 link#6 UCS 5 0 en0
192.168.0.1/32 link#6 UCS 1 0 en0
192.168.0.1 40:d:10:73:1f:90 UHLWIir 26 26 en0 1196
192.168.0.10 f4:5f:d4:fb:24:4a UHLWI 0 86 en0 1127
192.168.0.23 dc:a9:4:2a:21:db UHLWI 0 4 en0 60
192.168.0.24 3c:cd:93:6d:78:32 UHLWI 0 8 en0 1122
192.168.0.31/32 link#6 UCS 0 0 en0
192.168.0.42 a4:77:33:b2:d7:34 UHLWIi 1 779 en0 1038
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0
224.0.0/4 link#6 UmCS 2 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 314 en0
255.255.255.255/32 link#6 UCS 0 0 en0
-----------------------------------------------------------------------------------------------------------------------
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 25
10.0.2.0 255.255.255.0 On-link 10.0.2.15 281
10.0.2.15 255.255.255.255 On-link 10.0.2.15 281
10.0.2.255 255.255.255.255 On-link 10.0.2.15 281
18.130.229.77 255.255.255.255 10.0.2.2 10.0.2.15 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.31.0.0 255.255.0.0 On-link 172.31.0.1 26
172.31.0.1 255.255.255.255 On-link 172.31.0.1 281
172.31.255.255 255.255.255.255 On-link 172.31.0.1 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.0.2.15 281
224.0.0.0 240.0.0.0 On-link 172.31.0.1 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.0.2.15 281
255.255.255.255 255.255.255.255 On-link 172.31.0.1 281
===========================================================================
Persistent Routes:
None
-----------------------------------------------------------------------------------------------------------------------
> On 8 Aug 2018, at 15:15, Noel Kuntze
> <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:
>
> Hello Christian,
>
> I guess the native Mac OSX client just doesn't support being connected to
> more than one server, so this can't be solved with it.
>
> For Windows, you need to setup and run a DHCP server on the VPN server, which
> answers the DHCP requests that Windows (uniquely and only Windows!) sends
> over the VPN. You can use that to push routes to the client. Just use the
> same options as with "real" DHCP clients, requesting configuration from/on
> the LAN. This is described in the article about Windows interoperability[1].
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#Split-routing-on-Windows-10-and-Windows-10-Mobile
>
> <https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#Split-routing-on-Windows-10-and-Windows-10-Mobile>
>
> Kind regards
>
> Noel
>
> On 07.08.2018 09:07, Christian Salway wrote:
>> Hello all,
>>
>> After several months of using strongSwan, I still can't get the routing to
>> work correctly on the clients. I have run out of pages to read on the
>> strongswan website so I hope you can help me out.
>>
>> The problem is when I connect to strongSwan, the routing is not configured
>> correctly on the clients (OSX and Windows) - using native (built-in)
>> clients. All updated with the latest patches/updates.
>>
>> OSX will set up a route based on the local_ts but when I open a simultaneous
>> connection to another strongSwan server, it removes the route from the first
>> VPN connection and adds it's own based on the local_ts.
>>
>> WINDOWS doesnt add the route at all.
>>
>> In either cause, I normally have to manually add the routes in.
>>
>> Has anyone had any success? Can they please shed some light as to how they
>> achieved it?
>>
>>
>> Kind regards,
>>
>> *Christian Salway*
>> IT Consultant - *Naimuri*
>>
>> T: +44 7463 331432
>> E: christian.sal...@naimuri.com <mailto:christian.sal...@naimuri.com>
>> <mailto:christian.sal...@naimuri.com <mailto:christian.sal...@naimuri.com>>
>> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW
