dhcp Plugin
Purpose
The dhcp
plugin for libcharon
allows to forward requests for
virtual IP
addresses to a DHCPv4
server.
The plugin is disabled by default and can be enabled with the
./configure
option
--enable-dhcp
Behavior
When an IKEv2 client requests a virtual IP
address
via a configuration payload, the plugin allows the daemon to forward this
request to a DHCP server. By default, the plugin uses broadcasts, but a
designated DHCP server can be configured in
strongswan.conf
.
The MAC address used in the DHCP request is either randomly generated or can
optionally be based on the IKEv2 identity of the client. If the latter is
enabled, the client’s identity is also sent in the client identifier
DHCP
option (61
). If the client’s identity is a FQDN, it is also sent in the
host name
DHCP option (12
) even if random MAC addresses are used.
DNS/WINS server information is additionally served to clients if the DHCP server provides such information.
In combination with the farp
plugin, this plugin lets a
roadwarrior fully act as a client on the local LAN of the responder.
Configuration
The following entry in swanctl.conf
enables
the plugin for a connection:
connections.<conn>.pools = dhcp
The dhcp
plugin is configured using the following options in the
charon.plugins.dhcp
section of strongswan.conf
:
Key | Default | Description [Default] |
---|---|---|
force_server_address |
|
Always use the configured server address[1] |
identity_lease |
|
Derive user-defined MAC address from hash of IKE identity. The |
interface |
Interface name the plugin uses for address allocation. The default is to bind
to any ( |
|
interface_receive |
[→] |
Interface name the plugin uses to bind its receive socket. The default is
to use the same interface as the send socket. Set it to the empty string
to avoid binding the receive socket to any interface while the send socket
is bound to one. If the server runs on the same host and the send socket is
bound to an interface, it might be necessary to set this to |
server |
[→] |
DHCP server unicast or broadcast IP address. |
use_server_port |
|
Use the DHCP server port |
dhcp.force_server_address
and then set dhcp.server
to the local broadcast address, e.g. 192.168.0.255
. That’s because some DHCP
daemons do not listen on the loopback interface and thus can’t be reached via unicast (or even broadcast 255.255.255.255
) from the same host.
ICMP port unreachable
message will be sent back that might be problematic for some DHCP servers. To avoid that, enabling this option will cause the plugin to bind the DHCP server port to send its requests when acting as relay agent. This is not necessary if a DHCP server is already running on the same host and might even cause conflicts; and since the server port is already bound, ICMP messages should not be an issue.