Project

General

Profile

Issue #1098

Received DHCP server address via configuration payload

Added by genadi botus over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.3.2
Resolution:
No feedback

Description

The IPSEC client set up a connection each to IPSEC Server gateway and request a virtual IP via the IKEv2 configuration payload by using the leftsourceip=%config, and ping from IPSEC Client to DHCP Server is ok IPSEC client recived IP address from IPSEC Server
I want to pass to the IPSEC client via configuration payload IP address of DHCP Server , that the client has requested some settings from DHCP server not IP address .
I am used in Server side strongSwan 5.2.0
Thanks a lot

ipsec_client.conf (489 Bytes) ipsec_client.conf genadi botus, 07.09.2015 08:10
ipsec_server.conf (1.04 KB) ipsec_server.conf genadi botus, 07.09.2015 08:10
ipsec_client.secrets (56 Bytes) ipsec_client.secrets genadi botus, 07.09.2015 08:10
ipsec_server.secrets (51 Bytes) ipsec_server.secrets genadi botus, 07.09.2015 08:10
strongswan_client.conf (281 Bytes) strongswan_client.conf genadi botus, 07.09.2015 08:10
strongswan_server.conf (281 Bytes) strongswan_server.conf genadi botus, 07.09.2015 08:10
network _diag.vsdx (46.7 KB) network _diag.vsdx genadi botus, 07.09.2015 08:10

Related issues

Related to Issue #1208: INTERNAL_IP6_DHCP DHCPv6 server address from the IPsec server to IPsec clientClosed15.11.2015

History

#1 Updated by Tobias Brunner over 4 years ago

  • Status changed from New to Feedback
  • Priority changed from High to Normal

There is a DHCP plugin to assign virtual IPs and DNS servers to clients that are requested by the strongSwan server via DHCP on behalf of the clients. If you are considering DHCP over IPsec there is a configuration attribute called INTERNAL_IP4_DHCP but strongSwan has no support for that as client (i.e. it won't request it). And as server you can only assign it globally via the attr or the attr-sql plugins. Also see #1010.

#2 Updated by Tobias Brunner over 4 years ago

  • Category changed from testing to configuration

#3 Updated by genadi botus over 4 years ago

Tobias Brunner wrote:

There is a DHCP plugin to assign virtual IPs and DNS servers to clients that are requested by the strongSwan server via DHCP on behalf of the clients. If you are considering DHCP over IPsec there is a configuration attribute called INTERNAL_IP4_DHCP but strongSwan has no support for that as client (i.e. it won't request it). And as server you can only assign it globally via the attr or the attr-sql plugins. Also see #1010.

Hello.

We are asking for the second option – to receive the DHCP address via the Configuration Payload using the ATTR plugin.

So, the Client can’t ask for it and it is sent globally by the Server.
Our question is – how can we fetch this DHCP server address in the Client ????

#4 Updated by Tobias Brunner over 4 years ago

So, the Client can’t ask for it and it is sent globally by the Server.
Our question is – how can we fetch this DHCP server address in the Client ????

No, strongSwan as a client does not support that. But other clients might, and you could write a plugin that requests a DHCP server address and does something with it when it receives one from the server (the resolve plugin - source:src/libcharon/plugins/resolve - could be used as an example for such a plugin).

#5 Updated by genadi botus over 4 years ago

Thank you,
the last question is - do you plan to support this ?

#6 Updated by Tobias Brunner over 4 years ago

the last question is - do you plan to support this ?

There are no plans to do so at this time.

#7 Updated by genadi botus over 4 years ago

Could you please provide us with the design for the Client:

1. How shall we indicate in the ipsec.conf the request for the DHCP server address ?
2. How shall we provide the received DHCP server address to the user ?
3. What shall be changed in the IPsec Server in order that it will send the INTERNAL_IP4_DHCP only upon request ?

We currently can see the following in the IPSec Client:

daemon.info charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP SA TSi TSr N(AUTH_LFT) ]
daemon.info charon: 11[CFG] handling INTERNAL_IP4_DHCP attribute failed

This means that the INTERNAL_IP4_DHCP attribute is received and not handled ?

#8 Updated by Tobias Brunner over 4 years ago

1. How shall we indicate in the ipsec.conf the request for the DHCP server address ?

If you write your own plugin you might not need an option in ipsec.conf (which is pretty complicated to add). A list of config names or something configured via strongswan.conf might be easier.

2. How shall we provide the received DHCP server address to the user ?

That's totally up to you. You asked about it, so do whatever you like to do with it (what a user should do with it I don't know).

3. What shall be changed in the IPsec Server in order that it will send the INTERNAL_IP4_DHCP only upon request ?

As mentioned before the server can already assign this attribute via the attr or the attr-sql plugin.

This means that the INTERNAL_IP4_DHCP attribute is received and not handled ?

Yes. You need to write a plugin that handles the attribute somehow (i.e. implements the attribute_handler_t interface).

#9 Updated by genadi botus over 4 years ago

Is there any documentation on how to add plugins to the Strongswan ?

#10 Updated by genadi botus over 4 years ago

And where can I see an example of the request for the attribute, like the INTERNAL_IP4_DHCP ,sent from Client to Server ?

#11 Updated by Tobias Brunner over 4 years ago

Is there any documentation on how to add plugins to the Strongswan ?

Not really, have a look at an existing plugin, e.g. as mentioned before the resolve plugin does something similar.

And where can I see an example of the request for the attribute, like the INTERNAL_IP4_DHCP ,sent from Client to Server ?

That can also be seen in the resolve plugin (create_attribute_enumerator), basically an empty configuration attribute of the right type is added to the request.

#12 Updated by genadi botus over 4 years ago

Does the folder: strongswan-5.3.2\src\libcharon\plugins\resolve
contains the complete Plugin solution, or something else shall be modified ?

How do I activate the Plugin ?

#13 Updated by Tobias Brunner over 4 years ago

Does the folder: strongswan-5.3.2\src\libcharon\plugins\resolve
contains the complete Plugin solution, or something else shall be modified ?

Yes, it contains the complete plugin sources (apart from some stuff in source:configure.ac and source:src/libcharon/Makefile.am). However, it does something different, so you have to extend it or even create a new plugin that does what you want.

How do I activate the Plugin ?

The resolve plugin is enabled by default (see AutoConf). For a custom plugin add the required lines to the files I mentioned above (refer to what's there for the other plugins). Or you build your plugin outside of the source tree (see #969-5 and #969-25).

#14 Updated by genadi botus over 4 years ago

I plan to write my own plugin for DHCP server address, based on the resolve.
Could you please give me an example of plugin activated in the configure and makefile that I'll see what shall be added ?

#15 Updated by genadi botus over 4 years ago

I've modified the configure.ac and Makefile.am

What shall I do next ?
Run the autoconf ?

#16 Updated by genadi botus over 4 years ago

Hello,

I've added my plugin "dhcp_server" to configure.ac and makefile.am and I receive the following error when running make:

Making all in plugins/dhcp_server
make4: Entering directory `/home/noam/shared/strongswan/strongswan_dhcp2/src/libcharon/plugins/dhcp_server'
make4: *** No rule to make target `dhcp_serv_plugin.lo', needed by `libstrongswan-dhcp_serv.la'. Stop.
make4: Leaving directory `/home/noam/shared/strongswan/strongswan_dhcp2/src/libcharon/plugins/dhcp_server'

What am I missing ?

Please, help.

#17 Updated by genadi botus over 4 years ago

Thank you, my problem.

#18 Updated by genadi botus over 4 years ago

Hi Tobias, Thanks to you support , but I faced with different problem , if you see my network diagram , I have client and ipsec gateway , are used physical IP addresses to create IPSEC tunnel (90.0.0.88 client and 90.0.0.17 Server ) , after create IPSEC tunnel the server, send to client virtual IP address 10.0.0.2 , and the client created rules in iptables ( ip route : 192.168.0.0/16 via 90.0.0.17 dev eth3 proto static src 10.0.0.2), when I send ping from IPSEC client to DHCP server through IPSEC gateway , the source IP of the ping is the virtual IP addresses IPSEC client 10.0.0.2.
Is it possible to change it after IPSEC tunnel to source IP from physiacal IP address of client 90.0.0.88
Thanks a lot

#19 Updated by Tobias Brunner over 4 years ago

  • Related to Issue #1208: INTERNAL_IP6_DHCP DHCPv6 server address from the IPsec server to IPsec client added

#20 Updated by Tobias Brunner over 4 years ago

I have client and ipsec gateway , are used physical IP addresses to create IPSEC tunnel (90.0.0.88 client and 90.0.0.17 Server ) , after create IPSEC tunnel the server, send to client virtual IP address 10.0.0.2 , and the client created rules in iptables ( ip route : 192.168.0.0/16 via 90.0.0.17 dev eth3 proto static src 10.0.0.2), when I send ping from IPSEC client to DHCP server through IPSEC gateway , the source IP of the ping is the virtual IP addresses IPSEC client 10.0.0.2.
Is it possible to change it after IPSEC tunnel to source IP from physiacal IP address of client 90.0.0.88

Why would you already have a virtual IP if you want to actually request that via DHCP over IPsec? As described in RFC 3456 (which is quite old and specific to IKEv1) the idea is to first establish a CHILD_SA only for DHCP, then after acquiring an IP address via DHCP a new CHILD_SA is established that uses that address as local traffic selector (of course, all this is simplified by using virtual IPs via configuration payloads).

#21 Updated by Tobias Brunner about 4 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF