<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi all,</div><div class=""><br class=""></div><div class="">I'm having a hard time to configured split DNS for ios. The configuration works for all client, mac osx built-in client using ikev1, and Android works too. </div><div class=""><br class=""></div><div class="">On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I can see strongswan is pushing DNS from the log.</div><div class=""><br class=""></div><div class="">Split tunneling does work. I can use private IP totally fine. But it's just that the iphone client doesn't set the VPN correctly. </div><div class=""><br class=""></div><div class="">I have this configuration in ipsec.conf</div><div class=""><br class=""></div><div class=""><div class="">config setup</div><div class=""> # strictcrlpolicy=yes</div><div class=""> # uniqueids = no</div><div class=""> cachecrls=yes</div><div class=""> uniqueids=yes</div><div class=""><br class=""></div><div class=""> plutostart=yes</div><div class=""> nat_traversal=yes</div><div class=""><br class=""></div><div class=""> # Debug remove later</div><div class=""> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"</div><div class=""><br class=""></div><div class="">conn ikev1</div><div class=""> dpdaction=clear</div><div class=""> dpddelay=15s</div><div class=""> dpdtimeout=45s</div><div class=""> keyexchange=ikev1</div><div class=""> #This is for authenticaton in ipsec.secret</div><div class=""> #authby=xauthpsk</div><div class=""> #xauth=server</div><div class=""> left=%defaultroute</div><div class=""> #We want split tunneling</div><div class=""> #leftsubnet=0.0.0.0/0</div><div class=""> leftsubnet=192.168.44.1/24</div><div class=""> leftfirewall=yes</div><div class=""> right=%any</div><div class=""> #rightsubnet=192.168.44.0/24</div><div class=""> rightsourceip=192.168.40.0/24</div><div class=""> #We push DNS for split DNS via charon attr plugin</div><div class=""> rightdns=x.x.x.x</div><div class=""> auto=add</div><div class=""> forceencaps=yes</div><div class=""> # We are using xatuh-pam for two factor authentication</div><div class=""> leftauth=psk</div><div class=""> rightauth=psk</div><div class=""> rightauth2=xauth-pam</div><div class=""> #Make a connection valid for maximun 4hour</div><div class=""> lifetime=4h</div><div class=""><br class=""></div><div class="">conn iosikev2</div><div class=""> dpdaction=clear</div><div class=""> dpddelay=15s</div><div class=""> dpdtimeout=45s</div><div class=""> keyexchange=ikev2</div><div class=""> #This is for authenticaton in ipsec.secret</div><div class=""> #authby=xauthpsk</div><div class=""> #xauth=server</div><div class=""> left=%defaultroute</div><div class=""> #We want split tunneling</div><div class=""> #leftsubnet=0.0.0.0/0</div><div class=""> leftsubnet=192.168.44.1/24</div><div class=""> leftfirewall=yes</div><div class=""> leftid=x.x.x.x</div><div class=""> esp=aes128-sha1,3des-sha1,3des-sha2_256</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""> right=%any</div><div class=""> #rightsubnet=192.168.44.0/24</div><div class=""> rightsourceip=192.168.40.0/24</div><div class=""> #We push DNS for split DNS via charon attr plugin</div><div class=""> rightdns=192.168.44.1 </div><div class=""> auto=add</div><div class=""> forceencaps=yes</div><div class=""> # We are using xatuh-pam for two factor authentication</div><div class=""> leftauth=psk</div><div class=""> # rightauth = secret works</div><div class=""> rightauth=secret</div><div class=""> #rightauth=xauth</div><div class=""><br class=""></div><div class=""> #rightauth=eap-gtc</div><div class=""> #rightauth2=xauth-pam</div><div class=""> #Make a connection valid for maximun 4hour</div><div class=""> lifetime=4h</div><div class=""> rekey=no</div><div class=""> ikelifetime=10800s</div><div class=""> rekeyfuzz=100%</div><div class=""> pfs=no</div></div><div class=""><br class=""></div>And charon attr<div class=""><br class=""></div><div class=""><div class="">attr {</div><div class=""><br class=""></div><div class=""> # <attr> is an attribute name or an integer, values can be an IP address,</div><div class=""> # subnet or arbitrary value.</div><div class=""> # <attr> =</div><div class=""><br class=""></div><div class=""> # Whether to load the plugin. Can also be an integer to increase the</div><div class=""> # priority of this plugin.</div><div class=""> load = yes</div><div class=""> split-include=192.168.44.0/24</div><div class=""> split-exclude=0.0.0.0/0</div><div class=""><br class=""></div><div class=""> 28672 = "Connected to VPN"</div><div class=""> 28675 = domain_prefix </div><div class=""><br class=""></div><div class=""> dns = x.x.x.x,x.x.x.x</div><div class="">}</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 = "Connected to VPN"` worked too, because after connecting sucesfully, I saw the message. However the DNS of `28675` isn't working. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I tried to tweak lots of setting from those page. Tried to use both of ikev1 and ikev2.</div><div class=""><a href="https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers" class="">https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers</a></div><div class=""><a href="https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers" class="">https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers</a></div><div class=""><a href="https://wiki.strongswan.org/issues/317" class="">https://wiki.strongswan.org/issues/317</a></div><div class=""><a href="https://wiki.strongswan.org/issues/261" class="">https://wiki.strongswan.org/issues/261</a></div><div class=""><br class=""></div><div class="">But so far no lucks...</div><div class=""><br class=""></div><div class="">The fact that it works on Mac OS X, Android (split tunneling + split dns) make me think that the issue is on iOS client.</div><div class=""><br class=""></div><div class="">When connection, I saw this log</div><div class=""><br class=""></div><div class="">```</div><div class=""><div class="">04[IKE] peer requested virtual IP %any</div><div class="">04[CFG] assigning new lease to 'vinh'</div><div class="">04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'</div><div class="">04[IKE] peer requested virtual IP %any6</div><div class="">04[IKE] no virtual IP found for %any6 requested by 'vinh'</div><div class="">04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o and TS 192.168.44.0/24 === 192.168.40.1/32</div><div class="">04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]</div><div class="">04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)</div></div><div class="">```</div><div class=""><br class=""></div><div class="">That makes me think strongswan does push instruction to set DNS.</div><div class=""><br class=""></div><div class="">Has anyone ever got Split DNS work on iOS? If so, can you let me reference your configuration.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></div></body></html>