Sorry to upset you.  It's all very frustrating when their isn't enough clear 
documentation available.

Windows wasn't sending any DHCP requests through the CHILD_SA however it 
doesn't matter because it turns out the leftsubnet gets added to the routing 
table.  So where I had the VPN server on and the inner network on and the clients on, the clients couldnt route 
through to without manually adding a route in windows. However, if 
I set the clients in the subnet, then they can route through
Will be a problem when a clients network is also on the same subnet, but for 
now, it solves the problem.

Kind regards,

Christian Salway
IT Consultant - Naimuri

T: +44 7463 331432
A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW

> On 9 Aug 2018, at 20:43, Noel Kuntze 
> <> wrote:
> What do you intend to say with that? I already wrote that what Windows does 
> has nothing to do with the "dhcp" plugin.
> Look, I did not participate in the developing of the Windows Agile VPN client 
> and I also don't know why they did it. I just tell you how it is.
> After the CHILD_SA is up, Windows starts sending DHCP DISCOVER messages over 
> the CHILD_SA. That's what it does. I don't know *why* it does that and/or who 
> thought that was a good idea, but it does that.
> It does *not* do anything over IKE and it has *no* relation to what the 
> "dhcp" plugin of strongSwan does (which is the *responder* (*not* the 
> inititator) requesting an IP and DNS/WINS settings over DHCP).
> On 8/9/18 1:30 PM, Christian Salway wrote:
>>        Tobias Brunner <> almost 3 years 
>> <> 
>> ago
>>  * *Status* changed from /New/ to /Feedback/
>>  * *Priority* changed from /High/ to /Normal/
>> There is a DHCP plugin 
>> <> to _assign 
>> virtual IPs and DNS servers to clients_ that are requested by the strongSwan 
>> server via DHCP on behalf of the clients. If you are considering DHCP over 
>> IPsec there is a configuration attribute called |INTERNAL_IP4_DHCP| but 
>> strongSwan has no support for that as client (i.e. it won't request it). And 
>> as server you can only assign it globally via the attr 
>> <> or the 
>> attr-sql <> 
>> plugins. Also 
>> Kind regards,
>> *Christian Salway*
>> IT Consultant - *Naimuri*
>> T: +44 7463 331432
>> E: <>
>> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW
>>> On 9 Aug 2018, at 07:13, Noel Kuntze 
>>> < 
>>> <>> wrote:
>>> It's because you're doing it wrong. You must *not* use the dhcp plugin of 
>>> strongSwan to request the IP. Have Windows do a DHCP request over the VPN 
>>> (according to the article it should do that). The dhcp plugin does 
>>> something completely different.
>>> On 09.08.2018 08:07, Christian Salway wrote:
>>>> Perhaps the answer is to set the attr DHCP to the IP of the DHCP server 
>>>> inside the VPN but then still, how does the client know how to route to 
>>>> the IP address.
>>>> There doesn’t seem to be a solution for this even though all the parts are 
>>>> there.
>>>>> On 8 Aug 2018, at 15:15, Noel Kuntze 
>>>>> < 
>>>>> <>> wrote:
>>>>> Hello Christian,
>>>>> I guess the native Mac OSX client just doesn't support being connected to 
>>>>> more than one server, so this can't be solved with it.
>>>>> For Windows, you need to setup and run a DHCP server on the VPN server, 
>>>>> which answers the DHCP requests that Windows (uniquely and only Windows!) 
>>>>> sends over the VPN. You can use that to push routes to the client. Just 
>>>>> use the same options as with "real" DHCP clients, requesting 
>>>>> configuration from/on the LAN. This is described in the article about 
>>>>> Windows interoperability[1].
>>>>> [1] 
>>>>> Kind regards
>>>>> Noel
>>>>>> On 07.08.2018 09:07, Christian Salway wrote:
>>>>>> Hello all,
>>>>>> After several months of using strongSwan, I still can't get the routing 
>>>>>> to work correctly on the clients.  I have run out of pages to read on 
>>>>>> the strongswan website so I hope you can help me out.
>>>>>> The problem is when I connect to strongSwan, the routing is not 
>>>>>> configured correctly on the clients (OSX and Windows) - using native 
>>>>>> (built-in) clients. All updated with the latest patches/updates.
>>>>>> OSX will set up a route based on the local_ts but when I open a 
>>>>>> simultaneous connection to another strongSwan server, it removes the 
>>>>>> route from the first VPN connection and adds it's own based on the 
>>>>>> local_ts.
>>>>>> WINDOWS doesnt add the route at all.
>>>>>> In either cause, I normally have to manually add the routes in.
>>>>>> Has anyone had any success? Can they please shed some light as to how 
>>>>>> they achieved it?
>>>>>> Kind regards,
>>>>>> *Christian Salway*
>>>>>> IT Consultant - *Naimuri*
>>>>>> T: +44 7463 331432
>>>>>> E: <> 
>>>>>> <>
>>>>>> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW

Reply via email to