Issue #907
Strongswan DHCP problem if dhcp server and strongswan are on the same computer
Description
Hi,
I have an issue if I use
rightsourceip=%dhcp
config for the clients.
Symptons:
Charon sends the DHCP discover to 255.255.255.255, dhcpd receives it and sends a DHCP OFFER, but charon never receive it. Here is my log:
(this is a syslog, containing charon and dhcp logs also)
2015-03-24T13:41:00+01:00 sziami charon: 09[IKE] IKE_SA IKEv28 established between XXX.XXX.242.225[cs.bme.hu]...XXX.XXX.87.193[huygens]
2015-03-24T13:41:00+01:00 sziami charon: 09[IKE] peer requested virtual IP %any6
2015-03-24T13:41:00+01:00 sziami charon: 09[CFG] sending DHCP DISCOVER to 255.255.255.255
2015-03-24T13:41:00+01:00 sziami dhcpd: DHCPDISCOVER from XX:XX:f3:dc:78:82 (huygens) via eth0
2015-03-24T13:41:01+01:00 sziami charon: 09[CFG] sending DHCP DISCOVER to 255.255.255.255
2015-03-24T13:41:01+01:00 sziami dhcpd: DHCPOFFER on XXX.XXX.242.138 to XX:XX:f3:dc:78:82 (huygens) via eth0
2015-03-24T13:41:02+01:00 sziami charon: 15[MGR] ignoring request with ID 5, already processing
2015-03-24T13:41:03+01:00 sziami charon: 09[CFG] sending DHCP DISCOVER to 255.255.255.255
2015-03-24T13:41:03+01:00 sziami dhcpd: DHCPDISCOVER from XX:XX:f3:dc:78:82 (huygens) via eth0
2015-03-24T13:41:03+01:00 sziami dhcpd: DHCPOFFER on XXX.XXX.242.138 to XX:XX:f3:dc:78:82 (huygens) via eth0
2015-03-24T13:41:04+01:00 sziami charon: 14[IKE] retransmit 1 of request with message ID 0
If dhcp is running on a different host it works fine.
Tried Strongswan version
4.5.2 (debian wheezy)
5.2.1 (debian jessie)
I saw this letter: https://lists.strongswan.org/pipermail/users/2014-October/006816.html
and tried: iptables -t mangle -A POSTROUTING -o eth0 -p udp -m udp --dport 67 -j CHECKSUM --checksum-fill
But no success.
Laszlo
History
#1 Updated by Noel Kuntze over 10 years ago
Hello Laszlo,
The page about the dhcp plugin1 has a solution for this problem.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin
Kind regards,
Noel Kuntze
#2 Updated by Laszlo Madarassy over 10 years ago
Hello Noel,
I have already tried this solution, but unfortunately it won't work for me. In my situation the DHCP request packet arrives to dhcp daemon, but the offer is not received by strongswan.
I also tried to set unicast dhcp server address, but in this situation the DHCP request packet goes on loopback interface.
Br,
Laszlo
Noel Kuntze wrote:
Hello Laszlo,
The page about the dhcp plugin1 has a solution for this problem.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin
Kind regards,
Noel Kuntze
#3 Updated by Tobias Brunner over 10 years ago
- Status changed from New to Feedback
This looks strange:
2015-03-24T13:41:00+01:00 sziami charon: 09[IKE] peer requested virtual IP %any6 2015-03-24T13:41:00+01:00 sziami charon: 09[CFG] sending DHCP DISCOVER to 255.255.255.255
The dhcp plugin should decline requests for virtual IPv6 addresses. That this happens could indicate a problem with your build (e.g. a plugin from a different build than charon).
Have you configure charon.plugins.dhcp.interface? Is charon.plugins.dhcp.identity_lease enabled?
2015-03-24T13:41:01+01:00 sziami dhcpd: DHCPOFFER on XXX.XXX.242.138 to XX:XX:f3:dc:78:82 (huygens) via eth0
Is that the MAC address of your physical interface (eth0)? Or does it start with 7a:a7 (i.e. is generated by the plugin)? What is logged if you enable charon.plugins.dhcp.force_server_address and set charon.plugins.dhcp.server to the broadcast address of your subnet?
#4 Updated by Laszlo Madarassy over 10 years ago
Dear Tobias,
After setting force_server_address to yes and the dhcp.server to the local broadcast address it started to work.
Thanks
Laszlo
#5 Updated by Tobias Brunner over 10 years ago
- Tracker changed from Bug to Issue
- Category set to configuration
- Resolution set to No change required
Great!
#6 Updated by Tobias Brunner about 10 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner