[Swan] Road warriors and dhcp

Alex mysqlstudent at gmail.com
Sun Jan 3 01:27:35 UTC 2021


Hi,

I hoped I could ask my dhcp question again.

The windows client obtains an IP on the 192.168.6.0/24 network, but
apparently only because of the rightaddresspool= statement - it
doesn't appear the dhcp server is being consulted at all.

I also can't ping the router on 192.168.6.1, so while the VPN is
connected, there's really no connectivity to the 192.168.6.0 network
or the 192.168.1.0 corporate LAN network.

I'd really appreciate any pointers on how to get started with this.

conn ikev2-cp
    left=68.195.111.42
    leftcert=orion.example.com
    leftid=@68.195.111.42
    leftsendcert=always
    leftrsasigkey=%cert
    right=%any
    rightaddresspool=192.168.6.2-192.168.6.254
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns=8.8.8.8,193.100.157.123
    narrowing=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes
    esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null

Thanks,
Alex

On Thu, Dec 31, 2020 at 3:10 PM Alex <mysqlstudent at gmail.com> wrote:
>
> Hi,
> Now that I have a working VPN for mobile users, I'm having trouble
> assigning IPs on our local network. I'm thinking this is the best
> place to start, rather than a DHCP list without knowledge about how a
> VPN works.
>
> Our internal LAN is 192.168.1.0/24 and we're issuing leases for mobile
> workers are issued on 192.168.6.0/24.
>
> Should I add a route from the 192.168.6.0 network to the 192.168.1.0
> network for the mobile workers through DHCP?
>
> I recall previously having to add the leftsubnet= parameter as a
> separate connection. Is that necessary here too? Where do I get
> started here?
>
> I'm setting the segment in my config as such:
>     # your addresspool to use - you might need NAT rules if providing
> full internet to clients
>     rightaddresspool=192.168.6.2-192.168.6.254
>
> I'm also using shorewall for NAT on the 192.168.1.0/24 network. It
> should also be doing NAT on the networks related to the VPN that was
> already configured on this server.
>
> My DHCP server config:
>
> server-name "orion" ;
> authoritative ;
> option domain-name "inside.example.com example.com"
> option T150 code 150 = string;
> default-lease-time 86400;
> max-lease-time 86400;
> one-lease-per-client true;
> allow bootp;
>
> subnet 192.168.6.0 netmask 255.255.255.0 {
>         authoritative;
>         range 192.168.6.2 192.168.6.240;
>         default-lease-time 43200;
>         max-lease-time 86400;
>         option subnet-mask 255.255.255.0;
>         allow unknown-clients;
>         option routers 192.168.6.1;
>         option domain-name-servers 8.8.4.4;
>
> }
>
> subnet 192.168.1.0 netmask 255.255.255.0 {
>         authoritative;
>         range 192.168.1.105 192.168.1.140;
>         default-lease-time 43200;
>         max-lease-time 86400;
>         option subnet-mask 255.255.255.0;
>         allow unknown-clients;
> }


More information about the Swan mailing list