I have implemented a StrongSwan VPN server and would like to configure it to dynamically assign IPs to the end client. The VPN works if I give it an IP range however not if I set it to DHCP.
This is my dhcp.conf file:
dhcp {
# Always use the configured server address.
force_server_address = yes
# Derive user-defined MAC address from hash of IKE identity.
# identity_lease = yes
# Interface name the plugin uses for address allocation.
# interface =
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# DHCP server unicast or broadcast IP address.
server = 10.0.0.255
}
And my ipsec.conf file:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=10.0.0.2
leftsubnet=255.255.255.0/24
leftcert=vpnHostCert.pem
right=%any
rightsubnet=255.255.255.0/24
rightdns=10.0.0.2
rightsourceip=10.0.1.0/24
# rightsourceip=%dhcp
compress=yes
conn IPSec-IKEv2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
rightauth=pubkey
rightauth2=xauth
auto=add
Currently I have commented out the DHCP functionality so the VPN is functional.
Here are logs from the attempted connection: (cut for new logs)
Jul 8 16:13:09 dhcp charon: 04[IKE] IKE_SA IPSec-IKEv2-EAP[15] state change: CONNECTING => ESTABLISHED
Jul 8 16:13:09 dhcp charon: 04[IKE] peer requested virtual IP %any
Jul 8 16:13:09 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:10 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:11 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:11 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:11 dhcp charon: 07[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:12 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:14 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:14 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:14 dhcp charon: 13[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:15 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:18 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:18 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:18 dhcp charon: 01[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:19 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:24 dhcp charon: 04[CFG] DHCP DISCOVER timed out
As you can see in the logs, StrongSwan is attempting to get a lease from the DHCP server however it never gets a response to it's DHCPDiscover.
The VPN and DHCP server are both on the same machine (10.0.0.2). As you will see in the dhcp.conf file, I have specified 10.0.0.255 (as per the note at the bottom of this strongswan doc). I have also tried 10.0.0.2, 0.0.0.0, 127.0.0.1, 255.255.255.0, 255.255.255.255 and none of them have worked.
DHCP works perfectly fine for everything internally so I'm pretty sure it's a StrongSwan issue.
EDIT:
I have managed to get a response from the DHCP server, however the VPN software can not see it. Here are my changes to my VPN's DHCP config as well as the logs.
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (528 bytes)
Jul 10 09:41:52 dhcp charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 09:41:52 dhcp charon: 08[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:41:52 dhcp charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Jul 10 09:41:52 dhcp charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG] proposal matches
Jul 10 09:41:52 dhcp charon: 08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[IKE] local host is behind NAT, sending keep alives
Jul 10 09:41:52 dhcp charon: 08[IKE] remote host is behind NAT
Jul 10 09:41:52 dhcp charon: 08[IKE] sending cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 09:41:52 dhcp charon: 08[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (337 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (972 bytes)
Jul 10 09:41:52 dhcp charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 07[IKE] received 31 cert requests for an unknown ca
Jul 10 09:41:52 dhcp charon: 07[CFG] looking for peer configs matching 10.0.0.2[%any]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2-EAP", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG] selected peer config 'IPSec-IKEv2'
Jul 10 09:41:52 dhcp charon: 07[IKE] peer requested EAP, config inacceptable
Jul 10 09:41:52 dhcp charon: 07[CFG] switching to peer config 'IPSec-IKEv2-EAP'
Jul 10 09:41:52 dhcp charon: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_NBNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] peer supports MOBIKE
Jul 10 09:41:52 dhcp charon: 07[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with RSA signature successful
Jul 10 09:41:52 dhcp charon: 07[IKE] sending end entity cert "C=AU, O=EXAMPLE, CN=EXAMPLE AU"
Jul 10 09:41:52 dhcp charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 10 09:41:52 dhcp charon: 07[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (1516 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 10[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 10 09:41:52 dhcp charon: 10[IKE] received EAP identity 'shane'
Jul 10 09:41:52 dhcp charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xB2)
Jul 10 09:41:52 dhcp charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 10[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (108 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 09[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[IKE] EAP-MS-CHAPv2 username: 'shane'
Jul 10 09:41:52 dhcp charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 10 09:41:52 dhcp charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 10 09:41:52 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 12[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (92 bytes)
Jul 10 09:41:52 dhcp charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of '10.1.1.5' with EAP successful
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with EAP
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] established between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED
Jul 10 09:41:52 dhcp charon: 12[IKE] peer requested virtual IP %any
Jul 10 09:41:52 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:52 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be via team0
Jul 10 09:41:53 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:53 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:54 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:54 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:54 dhcp charon: 06[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:55 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:55 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:55 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:57 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:57 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:57 dhcp charon: 15[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:58 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:58 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:58 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:00 dhcp chronyd[728]: NTP packet received from unauthorised host 10.0.0.2 port 123
Jul 10 09:42:02 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:02 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:02 dhcp charon: 10[MGR] ignoring request with ID 5, already processing
Jul 10 09:42:02 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:42:02 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:02 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:07 dhcp charon: 12[CFG] DHCP DISCOVER timed out
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] peer requested virtual IP %any6
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any6 requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jul 10 09:42:07 dhcp charon: 12[CFG] looking for a child config for ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for us:
Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for other:
Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG] candidate "IPSec-IKEv2-EAP" with prio 1+1
Jul 10 09:42:07 dhcp charon: 12[CFG] found matching child config "IPSec-IKEv2-EAP" with prio 2
Jul 10 09:42:07 dhcp charon: 12[IKE] configuration payload negotiation failed, no CHILD_SA built
Jul 10 09:42:07 dhcp charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jul 10 09:42:07 dhcp charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
Jul 10 09:42:07 dhcp charon: 12[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (124 bytes)
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:07 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[ENC] parsed INFORMATIONAL request 6 [ D ]
Jul 10 09:42:07 dhcp charon: 11[IKE] received DELETE for IKE_SA IPSec-IKEv2-EAP[1]
Jul 10 09:42:07 dhcp charon: 11[IKE] deleting IKE_SA IPSec-IKEv2-EAP[1] between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: ESTABLISHED => DELETING
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA deleted
Jul 10 09:42:07 dhcp charon: 11[ENC] generating INFORMATIONAL response 6 [ ]
Jul 10 09:42:07 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: DELETING => DESTROYING
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:08 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:42:08 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:08 dhcp charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (384 bytes)
Jul 10 09:42:08 dhcp charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 10 09:42:08 dhcp charon: 14[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:42:08 dhcp charon: 14[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:42:08 dhcp charon: 14[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
Jul 10 09:42:08 dhcp charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Jul 10 09:42:08 dhcp charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jul 10 09:42:08 dhcp charon: 14[IKE] xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[IKE] no proposal found
Jul 10 09:42:08 dhcp charon: 14[IKE] queueing INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[IKE] activating new tasks
Jul 10 09:42:08 dhcp charon: 14[IKE] activating INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[ENC] generating INFORMATIONAL_V1 request 2146740619 [ N(NO_PROP) ]
Jul 10 09:42:08 dhcp charon: 14[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Jul 10 09:42:08 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
And the new configuration:
dhcp {
force_server_address = yes
interface = team0
load = yes
server = 255.255.255.255
}
Best Answer
I have solved it! See the note at the bottom of the page (here)[1]... As specified earlier, I did try this but no luck. I have a NIC team on em1 and em2, to become team0. StrongSwan seems to have not considered this interface.
I changed interface to team0, and my server was 255.255.255.255 - the DHCP server could see the requests however VPN could not see the replies. Once I set server to 10.0.0.255 WITH interface set to team0, it all started working.
So the trick is, if you are using NIC teaming, you need to specify your team as the interface, and server as your local broadcast address. You need to set force_server_address to yes, and identity_lease doesn't seem to affect it.
I hope this may save others from the nightmare.
My final config:
And what the DHCP section of my logs looks like now:
Please note, the DHCP daemon seems to log that it's receiving requests faster than Charon seems to log that it has requested something.
I hope this saves someone else the time and frustration.