[Swan] Road warriors and dhcp

Alex Regan mysqlstudent at gmail.com
Sun Jan 3 20:52:22 UTC 2021 

>> The windows client obtains an IP on the 192.168.6.0/24 network, but
>> apparently only because of the rightaddresspool= statement - it
>> doesn't appear the dhcp server is being consulted at all.
> 
> Correct. libreswan does not consult a DHCP server. It assumes it has
> full authority to assign anything from its given addresspool.

How does it then determine the default gateway and other stuff that 
would normally be obtained by DHCP, such as an NTP server?

I'm also using shorewall on this network, but it operates based on 
"ipsec", not a specific network.

Listening on 192.168.6.0/24 on the VPN server shows no traffic, even 
when trying to ping the gateway.

Here is the routing table from the Windows PC after the VPN is 
connected, using a tether connection on my cell. I've stripped off the 
Metric field to make it more legible.

Active Routes:
Network Destination        Netmask          Gateway       Interface
           0.0.0.0          0.0.0.0     192.168.43.1   192.168.43.203
     68.195.193.42  255.255.255.255     192.168.43.1   192.168.43.203
         127.0.0.0        255.0.0.0         On-link         127.0.0.1
         127.0.0.1  255.255.255.255         On-link         127.0.0.1
   127.255.255.255  255.255.255.255         On-link         127.0.0.1
       192.168.6.0    255.255.255.0         On-link       192.168.6.2
       192.168.6.2  255.255.255.255         On-link       192.168.6.2
     192.168.6.255  255.255.255.255         On-link       192.168.6.2
      192.168.43.0    255.255.255.0         On-link    192.168.43.203
    192.168.43.203  255.255.255.255         On-link    192.168.43.203
    192.168.43.255  255.255.255.255         On-link    192.168.43.203
         224.0.0.0        240.0.0.0         On-link         127.0.0.1
         224.0.0.0        240.0.0.0         On-link    192.168.43.203
         224.0.0.0        240.0.0.0         On-link       192.168.6.2
   255.255.255.255  255.255.255.255         On-link         127.0.0.1
   255.255.255.255  255.255.255.255         On-link    192.168.43.203
   255.255.255.255  255.255.255.255         On-link       192.168.6.2

Here is the VPN adapter on the Windows PC:
PPP adapter ikev2-cp:

    Connection-specific DNS Suffix  . :
    IPv4 Address. . . . . . . . . . . : 192.168.6.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :

Here is the interface on the VPN server for this network:
eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 192.168.6.1  netmask 255.255.255.0  broadcast 192.168.6.255
         ether 0c:c4:7a:a9:18:df  txqueuelen 1000  (Ethernet)
         device memory 0xfb100000-fb11ffff

When I built a subnet-to-subnet VPN some time ago, it was necessary to 
create another connection to allow remote hosts to access individual 
hosts on the local network. Is that not necessary here?

My eventual goal is to allow it to reach the 192.168.1.0/24 corporate 
LAN from the 192.168.6.0/24 IP it's assigned so it can communicate with 
our asterisk server.

Thanks,
Alex

More information about the Swan mailing list