> Windows wasn't sending any DHCP requests through the CHILD_SA It might depend on the setting regarding split tunneling. I am lucky enough to not have to deal with Windows myself. Other people found this out and what's on the wiki is all that should be relevant. Anything else should be findable in the mailing list archives.
Am 10.08.18 um 09:23 schrieb Christian Salway: > Sorry to upset you. It's all very frustrating when their isn't enough clear > documentation available. > > Windows wasn't sending any DHCP requests through the CHILD_SA however it > doesn't matter because it turns out the leftsubnet gets added to the routing > table. So where I had the VPN server on 10.0.0.0/20 and the inner network on > 10.0.64.0/20 and the clients on 172.31.0.0/20, the clients couldnt route > through to 10.0.64.0/20 without manually adding a route in windows. However, > if I set the clients in the 10.0.64.0/20 subnet, then they can route through > > leftsubnet=10.0.64.0/20 > rightsourceip=10.0.76.5-10.0.79.254 > > Will be a problem when a clients network is also on the same subnet, but for > now, it solves the problem. > > Kind regards, > > *Christian Salway* > IT Consultant - *Naimuri* > > T: +44 7463 331432 > E: christian.sal...@naimuri.com <mailto:christian.sal...@naimuri.com> > A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW > >> On 9 Aug 2018, at 20:43, Noel Kuntze >> <noel.kuntze+strongswan-users-ml@thermi.consulting >> <mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>> wrote: >> >> What do you intend to say with that? I already wrote that what Windows does >> has nothing to do with the "dhcp" plugin. >> >> Look, I did not participate in the developing of the Windows Agile VPN >> client and I also don't know why they did it. I just tell you how it is. >> After the CHILD_SA is up, Windows starts sending DHCP DISCOVER messages over >> the CHILD_SA. That's what it does. I don't know *why* it does that and/or >> who thought that was a good idea, but it does that. >> It does *not* do anything over IKE and it has *no* relation to what the >> "dhcp" plugin of strongSwan does (which is the *responder* (*not* the >> inititator) requesting an IP and DNS/WINS settings over DHCP). >> >> On 8/9/18 1:30 PM, Christian Salway wrote: >>> https://wiki.strongswan.org/issues/1098 >>> >>> >>> Tobias Brunner <https://wiki.strongswan.org/users/8> almost 3 years >>> <https://wiki.strongswan.org/projects/strongswan/activity?from=2015-09-07> >>> ago >>> >>> * *Status* changed from /New/ to /Feedback/ >>> * *Priority* changed from /High/ to /Normal/ >>> >>> There is a DHCP plugin >>> <https://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin> to >>> _assign virtual IPs and DNS servers to clients_ that are requested by the >>> strongSwan server via DHCP on behalf of the clients. If you are considering >>> DHCP over IPsec there is a configuration attribute called >>> |INTERNAL_IP4_DHCP| but strongSwan has no support for that as client (i.e. >>> it won't request it). And as server you can only assign it globally via the >>> attr <https://wiki.strongswan.org/projects/strongswan/wiki/Attrplugin> or >>> the attr-sql <https://wiki.strongswan.org/projects/strongswan/wiki/Attrsql> >>> plugins. Also >>> >>> >>> >>> Kind regards, >>> >>> *Christian Salway* >>> IT Consultant - *Naimuri* >>> >>> T: +44 7463 331432 >>> E: christian.sal...@naimuri.com <mailto:christian.sal...@naimuri.com> >>> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW >>> >>>> On 9 Aug 2018, at 07:13, Noel Kuntze >>>> <noel.kuntze+strongswan-users-ml@thermi.consulting >>>> <mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>> wrote: >>>> >>>> It's because you're doing it wrong. You must *not* use the dhcp plugin of >>>> strongSwan to request the IP. Have Windows do a DHCP request over the VPN >>>> (according to the article it should do that). The dhcp plugin does >>>> something completely different. >>>> >>>> On 09.08.2018 08:07, Christian Salway wrote: >>>>> Perhaps the answer is to set the attr DHCP to the IP of the DHCP server >>>>> inside the VPN but then still, how does the client know how to route to >>>>> the IP address. >>>>> >>>>> There doesn’t seem to be a solution for this even though all the parts >>>>> are there. >>>>> >>>>>> On 8 Aug 2018, at 15:15, Noel Kuntze >>>>>> <noel.kuntze+strongswan-users-ml@thermi.consulting >>>>>> <mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>> wrote: >>>>>> >>>>>> Hello Christian, >>>>>> >>>>>> I guess the native Mac OSX client just doesn't support being connected >>>>>> to more than one server, so this can't be solved with it. >>>>>> >>>>>> For Windows, you need to setup and run a DHCP server on the VPN server, >>>>>> which answers the DHCP requests that Windows (uniquely and only >>>>>> Windows!) sends over the VPN. You can use that to push routes to the >>>>>> client. Just use the same options as with "real" DHCP clients, >>>>>> requesting configuration from/on the LAN. This is described in the >>>>>> article about Windows interoperability[1]. >>>>>> >>>>>> [1] >>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#Split-routing-on-Windows-10-and-Windows-10-Mobile >>>>>> >>>>>> Kind regards >>>>>> >>>>>> Noel >>>>>> >>>>>>> On 07.08.2018 09:07, Christian Salway wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> After several months of using strongSwan, I still can't get the routing >>>>>>> to work correctly on the clients. I have run out of pages to read on >>>>>>> the strongswan website so I hope you can help me out. >>>>>>> >>>>>>> The problem is when I connect to strongSwan, the routing is not >>>>>>> configured correctly on the clients (OSX and Windows) - using native >>>>>>> (built-in) clients. All updated with the latest patches/updates. >>>>>>> >>>>>>> OSX will set up a route based on the local_ts but when I open a >>>>>>> simultaneous connection to another strongSwan server, it removes the >>>>>>> route from the first VPN connection and adds it's own based on the >>>>>>> local_ts. >>>>>>> >>>>>>> WINDOWS doesnt add the route at all. >>>>>>> >>>>>>> In either cause, I normally have to manually add the routes in. >>>>>>> >>>>>>> Has anyone had any success? Can they please shed some light as to how >>>>>>> they achieved it? >>>>>>> >>>>>>> >>>>>>> Kind regards, >>>>>>> >>>>>>> *Christian Salway* >>>>>>> IT Consultant - *Naimuri* >>>>>>> >>>>>>> T: +44 7463 331432 >>>>>>> E: christian.sal...@naimuri.com <mailto:christian.sal...@naimuri.com> >>>>>>> <mailto:christian.sal...@naimuri.com> >>>>>>> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW >>>>>>> >>>>>> >>>> >>> >> >
signature.asc
Description: OpenPGP digital signature
