strongswan: dhcp plugin not issuing addresses to clients after upgrading to 24.10-rc4

[lowjoel]

After upgrading to OpenWrt 24.10-rc4, using the exact same swanctl configuration as 23.05 my clients are no longer getting a DHCP address. This is tested on both Android/Strongswan app as well as Windows IPsec VPN. IPv6 static addresses are still being assigned.

I can tell that the updown scripts in /etc/hotplug.d/ipsec are only being called with IPv6 events, i.e. PLUTO_VERB='up-client-v6' and PLUTO_VERB='down-client-v6', I'm not sure if there's some configuration I'd need to change or if there's something more nefarious going on here.

I'm attaching my config here for now while I dig into this; I've still not isolated which part of the config or where I should be looking deeper into at the moment.

/etc/swanctl/conf.d/users.conf

connections {
  users {
    pools = dhcp, lan
    version = 2
    mobike = yes
    rekey_time = 4h
    over_time = 24m
    dpd_delay = 30s
    keyingtries = 3
    proposals = aes256gcm128-prfsha384-ecp384,aes256gcm128-prfsha384-modp2048

    local {
      auth = pubkey
      certs = server.pem
      id = server.fqdn
    }
    remote {
      auth = eap-radius
      eap_id = %any
    }
    children {
      user {
        local_ts = 0.0.0.0/0, ::/0
        esp_proposals = aes256gcm128-curve448,aes256gcm128-modp4096,aes256gcm128-ecp384,aes256gcm128-modp2048
        mode = tunnel
        if_id_in = 32769
        if_id_out = 32769
        rekey_time = 0
        dpd_action = clear

        updown = /usr/lib/ipsec/_updown
      }
    }
  }
}

pools {
  lan {
    addrs = <ipv6-addr>/80
  }
}

/etc/strongswan.d/charon/dhcp.conf

dhcp {

    # Always use the configured server address.
    force_server_address = yes

    # Derive user-defined MAC address from hash of IKE identity and send client
    # identity DHCP option.
    # identity_lease = no

    # Interface name the plugin uses for address allocation.
    # interface =

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # DHCP server unicast or broadcast IP address.
    server = <br-lan.lan subnet broadcast>

    # Use the DHCP server port (67) as source port when a unicast server address
    # is configured.
    # use_server_port = no

}

Edit 1: added the connection and dhcp plugin config.
Edit 2: clarified that this affects both Android and Windows

[tobiasbrunner]

No idea what the DHCP issue is about (you probably have to provide more details, config, logs, packet captures). But that the updown script is only called for IPv6 makes sense if no IPv4 address is assigned to the client.

[lowjoel]

Yeah, I'm trying to understand what's going wrong, I have some digging in to do myself. At this point I can't figure out if I'm the only one impacted (=I did something stupid) or if others are seeing it. I'm currently working to distill my setup to a minimal reproduceable case (I couldn't yet yesterday)

Just added the config that I'm looking at right now.