Sorry to upset you. It's all very frustrating when their isn't enough clear documentation available.
Windows wasn't sending any DHCP requests through the CHILD_SA however it doesn't matter because it turns out the leftsubnet gets added to the routing table. So where I had the VPN server on 10.0.0.0/20 and the inner network on 10.0.64.0/20 and the clients on 172.31.0.0/20, the clients couldnt route through to 10.0.64.0/20 without manually adding a route in windows. However, if I set the clients in the 10.0.64.0/20 subnet, then they can route through leftsubnet=10.0.64.0/20 rightsourceip=10.0.76.5-10.0.79.254 Will be a problem when a clients network is also on the same subnet, but for now, it solves the problem. Kind regards, Christian Salway IT Consultant - Naimuri T: +44 7463 331432 E: christian.sal...@naimuri.com A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW > On 9 Aug 2018, at 20:43, Noel Kuntze > <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > > What do you intend to say with that? I already wrote that what Windows does > has nothing to do with the "dhcp" plugin. > > Look, I did not participate in the developing of the Windows Agile VPN client > and I also don't know why they did it. I just tell you how it is. > After the CHILD_SA is up, Windows starts sending DHCP DISCOVER messages over > the CHILD_SA. That's what it does. I don't know *why* it does that and/or who > thought that was a good idea, but it does that. > It does *not* do anything over IKE and it has *no* relation to what the > "dhcp" plugin of strongSwan does (which is the *responder* (*not* the > inititator) requesting an IP and DNS/WINS settings over DHCP). > > On 8/9/18 1:30 PM, Christian Salway wrote: >> https://wiki.strongswan.org/issues/1098 >> >> >> Tobias Brunner <https://wiki.strongswan.org/users/8> almost 3 years >> <https://wiki.strongswan.org/projects/strongswan/activity?from=2015-09-07> >> ago >> >> * *Status* changed from /New/ to /Feedback/ >> * *Priority* changed from /High/ to /Normal/ >> >> There is a DHCP plugin >> <https://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin> to _assign >> virtual IPs and DNS servers to clients_ that are requested by the strongSwan >> server via DHCP on behalf of the clients. If you are considering DHCP over >> IPsec there is a configuration attribute called |INTERNAL_IP4_DHCP| but >> strongSwan has no support for that as client (i.e. it won't request it). And >> as server you can only assign it globally via the attr >> <https://wiki.strongswan.org/projects/strongswan/wiki/Attrplugin> or the >> attr-sql <https://wiki.strongswan.org/projects/strongswan/wiki/Attrsql> >> plugins. Also >> >> >> >> Kind regards, >> >> *Christian Salway* >> IT Consultant - *Naimuri* >> >> T: +44 7463 331432 >> E: christian.sal...@naimuri.com <mailto:christian.sal...@naimuri.com> >> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW >> >>> On 9 Aug 2018, at 07:13, Noel Kuntze >>> <noel.kuntze+strongswan-users-ml@thermi.consulting >>> <mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>> wrote: >>> >>> It's because you're doing it wrong. You must *not* use the dhcp plugin of >>> strongSwan to request the IP. Have Windows do a DHCP request over the VPN >>> (according to the article it should do that). The dhcp plugin does >>> something completely different. >>> >>> On 09.08.2018 08:07, Christian Salway wrote: >>>> Perhaps the answer is to set the attr DHCP to the IP of the DHCP server >>>> inside the VPN but then still, how does the client know how to route to >>>> the IP address. >>>> >>>> There doesn’t seem to be a solution for this even though all the parts are >>>> there. >>>> >>>>> On 8 Aug 2018, at 15:15, Noel Kuntze >>>>> <noel.kuntze+strongswan-users-ml@thermi.consulting >>>>> <mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>> wrote: >>>>> >>>>> Hello Christian, >>>>> >>>>> I guess the native Mac OSX client just doesn't support being connected to >>>>> more than one server, so this can't be solved with it. >>>>> >>>>> For Windows, you need to setup and run a DHCP server on the VPN server, >>>>> which answers the DHCP requests that Windows (uniquely and only Windows!) >>>>> sends over the VPN. You can use that to push routes to the client. Just >>>>> use the same options as with "real" DHCP clients, requesting >>>>> configuration from/on the LAN. This is described in the article about >>>>> Windows interoperability[1]. >>>>> >>>>> [1] >>>>> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#Split-routing-on-Windows-10-and-Windows-10-Mobile >>>>> >>>>> Kind regards >>>>> >>>>> Noel >>>>> >>>>>> On 07.08.2018 09:07, Christian Salway wrote: >>>>>> Hello all, >>>>>> >>>>>> After several months of using strongSwan, I still can't get the routing >>>>>> to work correctly on the clients. I have run out of pages to read on >>>>>> the strongswan website so I hope you can help me out. >>>>>> >>>>>> The problem is when I connect to strongSwan, the routing is not >>>>>> configured correctly on the clients (OSX and Windows) - using native >>>>>> (built-in) clients. All updated with the latest patches/updates. >>>>>> >>>>>> OSX will set up a route based on the local_ts but when I open a >>>>>> simultaneous connection to another strongSwan server, it removes the >>>>>> route from the first VPN connection and adds it's own based on the >>>>>> local_ts. >>>>>> >>>>>> WINDOWS doesnt add the route at all. >>>>>> >>>>>> In either cause, I normally have to manually add the routes in. >>>>>> >>>>>> Has anyone had any success? Can they please shed some light as to how >>>>>> they achieved it? >>>>>> >>>>>> >>>>>> Kind regards, >>>>>> >>>>>> *Christian Salway* >>>>>> IT Consultant - *Naimuri* >>>>>> >>>>>> T: +44 7463 331432 >>>>>> E: christian.sal...@naimuri.com <mailto:christian.sal...@naimuri.com> >>>>>> <mailto:christian.sal...@naimuri.com> >>>>>> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW >>>>>> >>>>> >>> >> >
