[vpn-help] VPN client not supporting DHCP on host ? FIX SUCCESSFUL ! yet a minor glitch

Robert Grasso robert.grasso at modulonet.fr
Sat Aug 7 01:47:43 CDT 2010 

Hi Matthew,

I just compiled ike-2.1.6-rc-2.tbz2 and started it on a DHCP client : it works ! Thank you for the fix !

May I add a tiny remark ? This damn NetworkManager they added on non-servers, generates the kind of following resolv.conf :

domain bob.etrumaison
search bob.etrumaison
nameserver 10.0.0.1
nameserver 89.2.0.1
nameserver 89.2.0.2

when I start a tunnel, your client does not remove the "search" line : here is what happens :

domain	mycompany.lan
nameserver	192.168.1.209
nameserver	192.168.1.208
# Generated by NetworkManager
search bob.etrumaison

thus, when I try to connect on some computer in the LAN using its name (not FQDN), the DNS resolution fails, and I have to remove the search line by hand - to my, this is minor, however, if you can polish it ...

Thanks anyway for the astounding work - now that I (briefly) saw the sources ...

-- 
Robert Grasso
@home
---
UNIX was not designed to stop you from doing stupid things, because 
  that would also stop you from doing clever things. -- Doug Gwyn

On Thursday 5 August 2010, Matthew Grooms wrote:
> On 7/31/2010 6:41 PM, Robert Grasso wrote:
> > Hello,
> >
> > I have been using this client for a while on my home desktop (configuration specs below), in order to connect onto a Fortigate : so far so good. Now I am trying to prepare a netbook for travelling : if its adress is dynamic, the tunnel does not establish, and I get in iked.log :
> >
> > "10/08/01 01:10:53 !! : failed to bind DHCP socket"
> >
> 
> Hi Robert,
> 
> I took some time to look into this issue. To be honest, I'm surprised it 
> hasn't been reported before. The cause is simple. The system DHCP client 
> binds to 0.0.0.0/0 port 68 which is the standard bootp client UDP port. 
> Since the DHCP protocol specifies that a server should only respond to a 
> client on port 68, you can't have two DHCP clients on a single system 
> because they can't both bind to the same port. I won't bore you with 
> details, but DHCP over IPsec really can't be provided by your general 
> purpose system DHCP client. For more info, have a look at RFC 3456 which 
> is incredibly flawed IMO.
> 
> In any case, the only way I could see to get around this was to modify 
> our embedded DHCP client to act like its a DHCP relay agent. This type 
> of communication happens from port 67 -> 67 which is for BOOTP server. 
> In other words, we can bind to this port even when a system DHCP client 
> is active since it uses port 68. I tested this with my Fortigate and 
> everything worked like it should, so I rolled the changes into 2.1.6 
> release candidate 2. Have a look at the download page for more info.
> 
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
> 
>

More information about the vpn-help mailing list