[vpn-help] VPN client not supporting DHCP on host ? + : second network unreachable

Robert Grasso robert.grasso at modulonet.fr
Thu Aug 5 14:04:00 CDT 2010 

Hi Matthew,

I am glad I have been of help - I was surprised as well that this issue was never submitted. Thanks for the fix. May I add a question ?

I had to find out a workaround - you must know that I am not an IPSEC master ;-) So I tried to change my tunnel configuration, so that I would be able to use the tunnels I use successfully from the Windows Forticlient for my users (with fixed virtual IPs and no Xauth) - it has been rather painful to me, but I eventually suceeded  (I created years ago my first Fortigate tunnel following a simple Fortinet example, and always mimicked it in order to build the next ones ;-)

I am pasting my IKE configuration at the end of this post (I just replaced some private informations with 'xxxx'). With this configuration, from my home Ubuntu 10.04 x86_64 desktop, I can reach our LAN (192.168.0.0) and our DMZ with a single tunnel. BUT : from two test virtual machines, or my netbook (always with Ubuntu 10.04), I am only able to reach our LAN (I had the same issue with your 'stock' configuration for a Fortinet, with the DHCP over IPSEC enabled, but let's drop this one), the DMZ is unreachable, as if blocked by a firewall.

I ran my tests without any firewall on my test OSes, the iptables chains were empty.

I just can't imagine what further tests run, what informations you would require to help me ?

Well, it's not a serious issue, it's annoying and puzzling. I will be glad to send you additional informations and performs tests, if you just tell me what I should do !
-- 
Robert Grasso
@home
---
UNIX was not designed to stop you from doing stupid things, because 
  that would also stop you from doing clever things. -- Doug Gwyn

On Thursday 5 August 2010, Matthew Grooms wrote:
> On 7/31/2010 6:41 PM, Robert Grasso wrote:
> > Hello,
> >
> > I have been using this client for a while on my home desktop (configuration specs below), in order to connect onto a Fortigate : so far so good. Now I am trying to prepare a netbook for travelling : if its adress is dynamic, the tunnel does not establish, and I get in iked.log :
> >
> > "10/08/01 01:10:53 !! : failed to bind DHCP socket"
> >
> 
> Hi Robert,
> 
> I took some time to look into this issue. To be honest, I'm surprised it 
> hasn't been reported before. The cause is simple. The system DHCP client 
> binds to 0.0.0.0/0 port 68 which is the standard bootp client UDP port. 
> Since the DHCP protocol specifies that a server should only respond to a 
> client on port 68, you can't have two DHCP clients on a single system 
> because they can't both bind to the same port. I won't bore you with 
> details, but DHCP over IPsec really can't be provided by your general 
> purpose system DHCP client. For more info, have a look at RFC 3456 which 
> is incredibly flawed IMO.
> 
> In any case, the only way I could see to get around this was to modify 
> our embedded DHCP client to act like its a DHCP relay agent. This type 
> of communication happens from port 67 -> 67 which is for BOOTP server. 
> In other words, we can bind to this port even when a system DHCP client 
> is active since it uses port 68. I tested this with my Fortigate and 
> everything worked like it should, so I rolled the changes into 2.1.6 
> release candidate 2. Have a look at the download page for more info.
> 
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
> 
> 

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:5
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:0
n:client-dns-used:1
n:client-dns-auto:0
b:auth-mutual-psk:xxxx
n:phase1-dhgroup:5
n:phase1-keylen:0
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:1
n:phase2-keylen:0
n:phase2-pfsgroup:5
n:phase2-life-secs:1800
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:xxxx
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:172.18.4.1
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:192.168.1.209
s:client-dns-suffix:xxxx.xxx
s:auth-method:mutual-psk
s:ident-client-type:ufqdn
s:ident-client-data:xxxx
s:ident-server-type:address
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
s:policy-list-include:172.17.0.0 / 255.255.0.0,192.168.0.0 / 255.255.0.0

More information about the vpn-help mailing list