Discussion:
[strongSwan] Trouble with strongswan and dhcp server on same host
Nathan Hüsken
2018-07-23 16:09:37 UTC
Permalink
Hi,

I have installed strongswan and dnsmasq (which also is used as a dhcp server) on the same host. I want to give remote computers ips through dnsmasq, so I set:

righsourceip=%dhcp

Now strongswan seemed to have problems reaching the dhcp server. So I set

interface=eth1

in /etc/strongswan/strongswan.d/charon/dhcp.conf. Now looking at the logs, I see:

charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
charon: 03[NET] received packet: from 185.38.41.42[60669] to 89.145.162.204[4500]
charon: 03[NET] waiting for data on sockets
charon: 15[MGR] checkout IKEv2 SA by message with SPIs a26490f46fda38af_i c55a50bf7d6c4f76_r
charon: 15[MGR] ignoring request with ID 5, already processing
charon: 15[MGR] IKE_SA checkout not successful
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255

So dnsmasq receives the dhcp requests, answers but strongswan seems to never get it. So I set:

force_server_address = yes
server = 192.168.123.255
The server is my local broadcast address. Now the connection fails immediately, and in the logs I see:

strongswan: 14[IKE] no virtual IP found for %any requested by 'nathan'
strongswan: 14[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE

And not even an attempt, to ask the dhcp server.

Why is strongswan does not even requesting a DHCP DISCOVER?
What could be the reason?

Thanks!
Nathan
Tobias Brunner
2018-07-24 12:49:11 UTC
Permalink
Hi Nathan
Post by Nathan Hüsken
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
charon: 03[NET] received packet: from 185.38.41.42[60669] to
89.145.162.204[4500]
charon: 03[NET] waiting for data on sockets
charon: 15[MGR] checkout IKEv2 SA by message with SPIs
a26490f46fda38af_i c55a50bf7d6c4f76_r
charon: 15[MGR] ignoring request with ID 5, already processing
charon: 15[MGR] IKE_SA checkout not successful
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
So dnsmasq receives the dhcp requests, answers but strongswan seems to
never get it.
Not sure what exactly causes that but maybe the packet never makes it
out of dnsmasq in a way the raw packet socket in the dhcp plugin can
read it. Often the local DHCP server does not receive the request,
Post by Nathan Hüsken
    force_server_address = yes
    server = 192.168.123.255
The server is my local broadcast address. Now the connection fails
strongswan: 14[IKE] no virtual IP found for %any requested by 'nathan'
strongswan: 14[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
And not even an attempt, to ask the dhcp server.
Why is strongswan does not even requesting a DHCP DISCOVER?
What could be the reason?
If you are using 5.6.3, you should have read further up in the log,
where the plugin is loaded. The problem most likely is a port conflict
(see the discussion at [1] and please try the patch at [2]).

Regards,
Tobias

[1] https://lists.strongswan.org/pipermail/dev/2018-June/001913.html
[2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=707b7072
Nathan Hüsken
2018-07-24 18:44:18 UTC
Permalink
Hi,

OK, I thought I looked through logs for all errors. But you are correct, I get:

unable to bind DHCP send socket: Permission denied

I get this error also if dnsmasq is stopped. And I can bind to udp port 67 and 68 using nc (I can also send on those ports).
So it is not the reused Port problem, but a permission problem.

I find that kind if irritating. After all, strongswan can also bind port 500.

Any ideas, how I could fix this?

Thanks!
Nathan


--
Dr. Nathan Hüsken
Cloud Developer

***@wintercloud.de
+49 151 703 478 84

wintercloud GmbH & Co. KG
Emil-Maier-Str. 16
69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268
Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Tobias Brunner
Hi Nathan
Post by Nathan Hüsken
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
charon: 03[NET] received packet: from 185.38.41.42[60669] to
89.145.162.204[4500]
charon: 03[NET] waiting for data on sockets
charon: 15[MGR] checkout IKEv2 SA by message with SPIs
a26490f46fda38af_i c55a50bf7d6c4f76_r
charon: 15[MGR] ignoring request with ID 5, already processing
charon: 15[MGR] IKE_SA checkout not successful
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
So dnsmasq receives the dhcp requests, answers but strongswan seems to
never get it.
Not sure what exactly causes that but maybe the packet never makes it
out of dnsmasq in a way the raw packet socket in the dhcp plugin can
read it. Often the local DHCP server does not receive the request,
Post by Nathan Hüsken
force_server_address = yes
    server = 192.168.123.255
The server is my local broadcast address. Now the connection fails
strongswan: 14[IKE] no virtual IP found for %any requested by 'nathan'
strongswan: 14[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
And not even an attempt, to ask the dhcp server.
Why is strongswan does not even requesting a DHCP DISCOVER?
What could be the reason?
If you are using 5.6.3, you should have read further up in the log,
where the plugin is loaded. The problem most likely is a port conflict
(see the discussion at [1] and please try the patch at [2]).
Regards,
Tobias
[1] https://lists.strongswan.org/pipermail/dev/2018-June/001913.html
[2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=707b7072
Nathan Hüsken
2018-07-24 22:07:51 UTC
Permalink
Hey,

I solved it. The permission error go away when I start strongswan via:

strongswan start

instead of

service strongswan start

(I am on centos). Now I got the port conflict, as in the references you send. I did not yet try the patch, because I want a strongswan installation from the package manager.
But I removed dnsmasq and installed dhcpd. Now it works!

I still have to start strongswan via "strongswan start", but I guess that is something specific to centos or my installation.

Thanks for the help!
Nathan


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Nathan Hüsken
Hi,
unable to bind DHCP send socket: Permission denied
I get this error also if dnsmasq is stopped. And I can bind to udp port 67 and 68 using nc (I can also send on those ports).
So it is not the reused Port problem, but a permission problem.
I find that kind if irritating. After all, strongswan can also bind port 500.
Any ideas, how I could fix this?
Thanks!
Nathan
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Dr. Nathan Hüsken
Cloud Developer
+49 151 703 478 84
wintercloud GmbH & Co. KG
Emil-Maier-Str. 16
69115 Heidelberg
wintercloud.de
Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268
Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken
USt-IdNr.: DE815676705
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Tobias Brunner
Hi Nathan
Post by Nathan Hüsken
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
dnsmasq-dhcp[27740]: DHCPOFFER(eth1) 192.168.123.207 7a:a7:33:54:e9:78
charon: 03[NET] received packet: from 185.38.41.42[60669] to 89.145.162.204[4500]
charon: 03[NET] waiting for data on sockets
charon: 15[MGR] checkout IKEv2 SA by message with SPIs
a26490f46fda38af_i c55a50bf7d6c4f76_r
charon: 15[MGR] ignoring request with ID 5, already processing
charon: 15[MGR] IKE_SA checkout not successful
charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
So dnsmasq receives the dhcp requests, answers but strongswan seems to
never get it.
Not sure what exactly causes that but maybe the packet never makes it
out of dnsmasq in a way the raw packet socket in the dhcp plugin can
read it. Often the local DHCP server does not receive the request,
Post by Nathan Hüsken
force_server_address = yes
    server = 192.168.123.255
The server is my local broadcast address. Now the connection fails
strongswan: 14[IKE] no virtual IP found for %any requested by 'nathan'
strongswan: 14[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
And not even an attempt, to ask the dhcp server.
Why is strongswan does not even requesting a DHCP DISCOVER?
What could be the reason?
If you are using 5.6.3, you should have read further up in the log,
where the plugin is loaded. The problem most likely is a port conflict
(see the discussion at [1] and please try the patch at [2]).
Regards,
Tobias
[1] https://lists.strongswan.org/pipermail/dev/2018-June/001913.html
[2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=707b7072
Loading...