Strongswap (ipsec) can't use dhcp

Turris Omnia 4.0.3

I recently updated from 3.11 to 4.0 and trying to resurrect my previous configuration. Most of the things works fine, but I can’t setup strongswan sever. I followed Strongswan configuration recipe for Turris Omnia (which worked for me on 3.x), however my clients can’t get ip address thru DHCP:

Jan 18 10:05:53 turris : 09[IKE] scheduling reauthentication in 9856s
Jan 18 10:05:53 turris : 09[IKE] maximum IKE_SA lifetime 10396s
Jan 18 10:05:53 turris : 09[IKE] peer requested virtual IP %any
Jan 18 10:05:53 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:05:54 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:05:55 turris : 14[MGR] ignoring request with ID 4, already processing
Jan 18 10:05:56 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:05:58 turris : 11[MGR] ignoring request with ID 4, already processing
Jan 18 10:05:59 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:06:01 turris /usr/sbin/cron[12559]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
Jan 18 10:06:02 turris : 10[MGR] ignoring request with ID 4, already processing
Jan 18 10:06:03 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:06:08 turris : 09[CFG] DHCP DISCOVER timed out
Jan 18 10:06:08 turris : 09[IKE] no virtual IP found for %any requested by 'nstepa'
Jan 18 10:06:08 turris : 09[IKE] peer requested virtual IP %any6
Jan 18 10:06:08 turris : 09[IKE] no virtual IP found for %any6 requested by 'nstepa'
Jan 18 10:06:08 turris : 09[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jan 18 10:06:08 turris : 09[IKE] configuration payload negotiation failed, no CHILD_SA built
Jan 18 10:06:08 turris : 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Configs

/etc/strongswan.conf

charon {
        dns1 = 172.27.1.1
        load_modular = yes
        threads = 16
        plugins {
                include strongswan.d/charon/*.conf
                dhcp {
                        load = yes
                        force_server_address = yes
                        server = 172.27.1.1
                        identity_lease = yes
                }
        }
}
include strongswan.d/*.conf

/etc/ipsec.conf

config setup
    strictcrlpolicy=no
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    mobike=yes

    left=%any
    leftid=**example.com**
    leftcert=**example.com.cer**
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=%dhcp
#    rightsourceip=172.27.1.5  <<< with this line everything works
    rightdns=172.27.1.1
    rightsendcert=never

    eap_identity=%identity

/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-NAT'
	option src 'wan'
	option dest_port '4500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-AH'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'ah'

config include
	option path '/etc/firewall.user'

config zone 'guest_turris'
	option enabled '1'
	option name 'guest_turris'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	list network 'guest_turris'

config forwarding 'guest_turris_forward_wan'
	option enabled '1'
	option name 'guest to wan forward'
	option src 'guest_turris'
	option dest 'wan'

config rule 'guest_turris_dns_rule'
	option enabled '1'
	option name 'guest dns rule'
	option src 'guest_turris'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'

config rule 'guest_turris_dhcp_rule'
	option enabled '1'
	option name 'guest dhcp rule'
	option src 'guest_turris'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule 'wan_ssh_turris_rule'
	option name 'wan_ssh_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '22'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_http_turris_rule'
	option name 'wan_http_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '80'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_https_turris_rule'
	option name 'wan_https_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '443'
	option proto 'tcp'
	option src 'wan'

config rule 'turris_wan_6in4_rule'
	option enabled '0'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option network 'ipsec'
	option output 'ACCEPT'
	option name 'vpn'
	option mtu_fix '1'

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'wan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option port '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv6 'server'
	option ra 'server'
	option ignore '0'
	option leasetime '43200'
	list dhcp_option '6,172.27.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest_turris'
	option interface 'guest_turris'
	option ignore '0'
	option start '100'
	option limit '150'
	option leasetime '3600'
	list dhcp_option '6,10.111.222.1'

Any ideas how this problem can be solved?

1 Like