[Openswan Users] Problem with ShrewSoft VPN Client in DHCP over IPSec Configuration

Martin Krellmann martin2002 at web.de
Tue Jun 16 09:17:17 EDT 2009

> Does ShrewSoft claim this should work with openswan?

No, not explicitly. They only say that ShrewSoft Client is supposed to work
with OpenSWAN in general...
Maybe it does not work... so let's think about another client.

I've also tested a demo version of NCP Secure Entry Client - which is as I
know a successor of SSH Sentinel. And SSH Sentinel should work with Openswan
and DHCP over IPSec (most .

The NCP Client successfully connects to the gateway, sends the DHCP
DISCOVERY package. The DHCP Server listening directly on the ipsec0
interface (dhcp-relay from ISC does not work with DHCPd on the same host -
routing problems I guess) then answers the Request (DHCP OFFER with IP; is the pool; the subnet). The problem
here is that the offer is either never send over the tunnel or not in time.
E.g. it does not reach the client. I've logged the transmission with tcpdump
and Wireshark. The OFFER package has as target IP, which is not
right in my opinion. I think it should be or even
So I guess Openswan does not know to which connection it belongs and drops
the package.

> I am not sure if we support dhcp over ipsec properly...

In the "doc" directory of the Openswan source code there is a file named
"README.x509". In it there is an example of the DHCP-over-IPSec
configuration (which I use also). But they're talking about a X.509 Patch
that has to be applied to the source code to support the DHCP-over-IPSec
Is this patch already applied to the 2.6.21 source release of Openswan? If
not, this could explain anything... ;)

I've also taken a quick look at the source code. There I found the following
#from pluto/virtual.c:
#virtual string must be :
# vhost = accept only a host (/32)
# vnet  = accept any network
# %no   = no virtual IP (accept public IP)
# %dhcp = accept DHCP SA ( of affected IP [not implemented]
# %ike  = accept affected IKE Config Mode IP [not implemented]
# %priv = accept system-wide private net list
# %v4:x = accept ipv4 in list 'x'
# %v6:x = accept ipv6 in list 'x'
# %all  = accept all ips [only for testing]
# ex: vhost:%no,%dhcp,%priv,%v4:

So I guess it is planned to support %dhcp and %ike options to support the
client auto configuration directly in feature. But this should not affect
the routing of DHCP packages, or not?


-----Ursprüngliche Nachricht-----
Von: Paul Wouters [mailto:paul at xelerance.com] 
Gesendet: Montag, 15. Juni 2009 22:46
An: Martin Krellmann
Cc: users at openswan.org
Betreff: Re: [Openswan Users] Problem with ShrewSoft VPN Client in DHCP over
IPSec Configuration

On Mon, 15 Jun 2009, Martin Krellmann wrote:

> When I try to establish a connection with the ShrewSoft Client it fails..
>  DHCP over IPSec, no NAT on both sides: "roadwarrior-dhcp"[1] #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected

I am not sure if we support dhcp over ipsec properly...

> Jun 15 16:07:37 gateway pluto[23447]: "roadwarrior-dhcp"[2]
#4: cannot respond to IPsec SA request
> because no connection is known for xxx.xxx.xxx.xxx[C=DE, ST=Brandenburg,
L=Potsdam, O=Krellmann, OU=Servers,
> CN=vpngate,
E=root at vpngate.potsdam.krellmann.net,+S=C]:17/67...[C=DE,
O=krellmann, OU=roadwarrior,
> CN=potsdam.krellmann.net, E=martin at krellmann.net,+S=C]:17/68

So it is trying with protoport=17/67 to protoport=17/68

> conn roadwarrior-dhcp
>        keylife=60s
>        rekeymargin=30s
>        rekey=no
>        leftcert=g1.krellmann.net.pem
>        leftprotoport=udp/bootps
>        #this allows DHCP discovery broadcast:
>        leftsubnet=

It might allow the packet, but I doubt it will ever be send over the tunnel

>        right=%any
>        rightcert=roadwarrior.potsdam.krellmann.net.pem
>        rightprotoport=udp/bootpc
>        auto=add

Does ShrewSoft claim this should work with openswan?


More information about the Users mailing list