[vpn-help] VPN client not supporting DHCP on host ? FIX SUCCESSFUL ! yet a minor glitch
Robert Grasso
robert.grasso at modulonet.fr
Sat Aug 7 01:47:43 CDT 2010
Hi Matthew,
I just compiled ike-2.1.6-rc-2.tbz2 and started it on a DHCP client : it works ! Thank you for the fix !
May I add a tiny remark ? This damn NetworkManager they added on non-servers, generates the kind of following resolv.conf :
domain bob.etrumaison
search bob.etrumaison
nameserver 10.0.0.1
nameserver 89.2.0.1
nameserver 89.2.0.2
when I start a tunnel, your client does not remove the "search" line : here is what happens :
domain mycompany.lan
nameserver 192.168.1.209
nameserver 192.168.1.208
# Generated by NetworkManager
search bob.etrumaison
thus, when I try to connect on some computer in the LAN using its name (not FQDN), the DNS resolution fails, and I have to remove the search line by hand - to my, this is minor, however, if you can polish it ...
Thanks anyway for the astounding work - now that I (briefly) saw the sources ...
--
Robert Grasso
@home
---
UNIX was not designed to stop you from doing stupid things, because
that would also stop you from doing clever things. -- Doug Gwyn
On Thursday 5 August 2010, Matthew Grooms wrote:
> On 7/31/2010 6:41 PM, Robert Grasso wrote:
> > Hello,
> >
> > I have been using this client for a while on my home desktop (configuration specs below), in order to connect onto a Fortigate : so far so good. Now I am trying to prepare a netbook for travelling : if its adress is dynamic, the tunnel does not establish, and I get in iked.log :
> >
> > "10/08/01 01:10:53 !! : failed to bind DHCP socket"
> >
>
> Hi Robert,
>
> I took some time to look into this issue. To be honest, I'm surprised it
> hasn't been reported before. The cause is simple. The system DHCP client
> binds to 0.0.0.0/0 port 68 which is the standard bootp client UDP port.
> Since the DHCP protocol specifies that a server should only respond to a
> client on port 68, you can't have two DHCP clients on a single system
> because they can't both bind to the same port. I won't bore you with
> details, but DHCP over IPsec really can't be provided by your general
> purpose system DHCP client. For more info, have a look at RFC 3456 which
> is incredibly flawed IMO.
>
> In any case, the only way I could see to get around this was to modify
> our embedded DHCP client to act like its a DHCP relay agent. This type
> of communication happens from port 67 -> 67 which is for BOOTP server.
> In other words, we can bind to this port even when a system DHCP client
> is active since it uses port 68. I tested this with my Fortigate and
> everything worked like it should, so I rolled the changes into 2.1.6
> release candidate 2. Have a look at the download page for more info.
>
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
More information about the vpn-help
mailing list