Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC DHCP plugin

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 338 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      serverdoctor
      last edited by serverdoctor

      Hi,

      this seems to be an old topic (several threads from 2009, 2017 etc.) but maybe there are some news on that?

      Background: Windows clients expect some of the configuration when connecting to the VPN with the native client over IKEv2 via dhcp. Unfortunately PFSense does not support this feature.

      If my research is correct, this is due to a lack of the dhcp plugin in Strongswan on FreeBSD. Furthermore I've read, that this plugin is now succesfully ported to FreeBSDs Strongswan and available in the version 5.9.14.

      Pull to the port

      This leads me to the question, if there is a plan to add the ipsec dhcp plugin to PFSense?

      Thank you very much for an answer!

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK Offline
        keyser Rebel Alliance @serverdoctor
        last edited by

        @serverdoctor ?? What kind of config of the VPN client are you missing?
        They get IP address, DNS servers and such just fine across my different client types.

        But perhaps you need specific DHCP vendor options?

        Love the no fuss of using the official appliances :-)

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          serverdoctor @keyser
          last edited by serverdoctor

          @keyser Thank you for your reply! Yes, I need those options for split routing.

          The Windows VPN client is just capable of class based routing and ignores pushed routes. So per default it just adds a class based route to the remote net and ignores everything else except ip address.

          Here is an excerpt from the Strongswan documentation:

          Split Routing since Windows 10
          Microsoft changed the Windows 10 VPN routing behavior for new VPN connections. Option "Use default gateway on remote network option" in the Advanced TCP/IP settings of the VPN connection is
          now disabled by default but can be enabled if desired. Fortunately Windows sends a DHCP request upon connection and add routes supplied in option 249 of the DHCP reply.

          Sample configuration file for dnsmasq:

          dhcp-vendorclass=set:msipsec,MSFT 5.0
          dhcp-range=tag:msipsec,192.168.103.0,static
          dhcp-option=tag:msipsec,6
          dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0
          where 192.168.103.0 is your (internal) network. It pushes two separate routes which cover the entire IPv4 range. Gateway could be anything (set to 0.0.0.0 in an example) as it is ignored by Windows. Note that you can’t ignore DHCP routes in Windows.

          Strongswan Documentation for Windows clients

          In my opinion this can only be achieved with the dhcp plugin. So for supporting Windows clients without configuring something manually, you need dhcp.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.