<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thanks you Roger. Let's me try. Split DNS work will be great. <div class=""><br class=""></div><div class="">Also do you affect the one hour disconnect issue with IPSEC Ikev1 on Mac OSX? </div><div class=""><br class=""></div><div class="">Basically around 45-60 minutes the Mac OS X client re-authenticate again and event if I enter correct password, the connection still interrupt after that?</div><div class=""><br class=""></div><div class="">I found out some tutorial (<a href="http://apple.stackexchange.com/questions/14780/vpn-connection-in-osx-fails-after-a-certain-amount-of-reconnects" class="">http://apple.stackexchange.com/questions/14780/vpn-connection-in-osx-fails-after-a-certain-amount-of-reconnects</a>) to manually edit config file and change one hour lifetime of racoon configuration.</div><div class=""><br class=""></div><div class="">I'm experiencing it and don't have a solution. Were you able to solve that problem?</div><div class=""><br class=""><div class=""><div apple-content-edited="true" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8000001907349px; widows: 1; background-color: rgb(255, 255, 255);" class="">Thanks.</span></div><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8000001907349px; widows: 1; background-color: rgb(255, 255, 255);" class=""><span style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8000001907349px; widows: 1; background-color: rgb(255, 255, 255);" class="">Vinh</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8000001907349px; widows: 1; background-color: rgb(255, 255, 255);" class=""><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8000001907349px; widows: 1; background-color: rgb(255, 255, 255);" class=""><a href="mailto:vinh@noty.im" class="">vinh@noty.im</a></div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Oct 15, 2015, at 11:11 AM, Roger Skjetlein <<a href="mailto:rskjetlein@netrunner.nu" class="">rskjetlein@netrunner.nu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">The fix is to use a configuration profile containing the ikev2 settings and some extra for the dns. I can confirm that this works and allows for split dns.<div class=""><br class=""></div><div class="">Example for <a href="http://test2.com/" class="">test2.com</a> and <a href="http://test3.com/" class="">test3.com</a></div><div class=""><br class=""></div><div class=""><div class="">                        <key>DNS</key></div><div class="">                        <dict></div><div class="">                                <key>ServerAddresses</key></div><div class="">                                <array></div><div class="">                                        <string>1.1.1.1</string></div><div class="">                                        <string>2.2.2.2</string></div><div class="">                                </array></div><div class="">                                <key>SearchDomains</key></div><div class="">                                <array></div><div class="">                                        <string><a href="http://test2.com/" class="">test2.com</a></string></div><div class="">                                        <string><a href="http://test3.com/" class="">test3.com</a></string></div><div class="">                                </array></div><div class="">                                <key>SupplementalMatchDomains</key></div><div class="">                                <array></div><div class="">                                        <string><a href="http://test2.com/" class="">test2.com</a></string></div><div class="">                                        <string><a href="http://test3.com/" class="">test3.com</a></string></div><div class="">                                </array></div></div><div class="">                        </dict><br class=""></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Oct 15, 2015 at 8:06 PM, Roger Skjetlein <span dir="ltr" class=""><<a href="mailto:rskjetlein@netrunner.nu" target="_blank" class="">rskjetlein@netrunner.nu</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="">I see that the dns payload is received by the client (os x 10.11) and installed, but not in way that allows the client to actually use the dns servers.<div class=""><br class=""></div><div class="">Only the dns received via dhcp through wifi are used.<br class=""><div class=""><br class=""></div><div class=""><div class="">rogers-mbp:~ roger$ scutil --dns</div><div class="">DNS configuration</div><div class=""><br class=""></div><div class="">resolver #1</div><div class="">  search domain[0] : s******n</div><div class="">  nameserver[0] : 10.0.10.100</div><div class="">  if_index : 4 (en0)</div><div class="">  flags    : Request A records</div><div class="">Reachable</div><div class=""><br class=""></div><div class="">resolver #2</div><div class="">  domain   : local</div><div class="">  options  : mdns</div><div class="">  timeout  : 5</div><div class="">  flags    : Request A records</div><div class="">Not Reachable</div><div class="">  order    : 300000</div></div><div class="">.</div><div class="">.</div><div class="">.</div><div class=""><div class="">DNS configuration (for scoped queries)</div><div class=""><br class=""></div><div class="">resolver #1</div><div class="">  search domain[0] : s****n</div><div class="">  nameserver[0] : 10.0.10.100</div><div class="">  if_index : 4 (en0)</div><div class="">  flags    : Scoped, Request A records</div><div class="">Reachable</div><div class=""><br class=""></div><div class="">resolver #2</div><div class="">  nameserver[0] : x.x.x.x</div><div class="">  nameserver[1] : x.x.x.x</div><div class="">  if_index : 10 (ipsec0)</div><div class="">  flags    : Scoped, Request A records</div><div class="">Reachable, Transient Connection, Connection Required, Automatic Connection On Demand</div></div><div class=""><br class=""></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Oct 15, 2015 at 6:45 PM, Марк Коренберг <span dir="ltr" class=""><<a href="mailto:socketpair@gmail.com" target="_blank" class="">socketpair@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="">I experience the same problem. Moreover, even just rightdns=... does not work. Not even talking about splitdns...<div class=""><br class=""></div><div class="">Also, it seems that splitdns (as cisco unity extension) works only with ikev1. I have no proof for that.</div></div><div class="gmail_extra"><div class=""><div class=""><br class=""><div class="gmail_quote">2015-10-15 17:42 GMT+05:00 Roger Skjetlein <span dir="ltr" class=""><<a href="mailto:rskjetlein@netrunner.nu" target="_blank" class="">rskjetlein@netrunner.nu</a>></span>:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="">I'm connecting both ios 9 and osx 10.11 and experience the same problem.<div class=""><br class=""></div><div class="">The dns settings are pushed to the client and can be viewed by running 'scutil --dns'. However, the clients never uses the dns server assigned and i even have the same problem when manually configuring dns servers in the ikev2 vpn settings on client.</div><div class=""><br class=""></div><div class=""><br class=""></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Fri, Oct 2, 2015 at 12:22 AM, Vinh Nguyen <span dir="ltr" class=""><<a href="mailto:vinh@noty.im" target="_blank" class="">vinh@noty.im</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class="">Hi all,</div><div class=""><br class=""></div><div class="">I'm having a hard time to configured split DNS for ios. The configuration works for all client, mac osx built-in client using ikev1, and Android works too. </div><div class=""><br class=""></div><div class="">On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I can see strongswan is pushing DNS from the log.</div><div class=""><br class=""></div><div class="">Split tunneling does work. I can use private IP totally fine. But it's just that the iphone client doesn't set the VPN correctly. </div><div class=""><br class=""></div><div class="">I have this configuration in ipsec.conf</div><div class=""><br class=""></div><div class=""><div class="">config setup</div><div class="">  # strictcrlpolicy=yes</div><div class="">  # uniqueids = no</div><div class="">    cachecrls=yes</div><div class="">    uniqueids=yes</div><div class=""><br class=""></div><div class="">    plutostart=yes</div><div class="">    nat_traversal=yes</div><div class=""><br class=""></div><div class="">    # Debug remove later</div><div class="">    charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"</div><div class=""><br class=""></div><div class="">conn ikev1</div><div class="">    dpdaction=clear</div><div class="">    dpddelay=15s</div><div class="">    dpdtimeout=45s</div><div class="">    keyexchange=ikev1</div><div class="">    #This is for authenticaton in ipsec.secret</div><div class="">    #authby=xauthpsk</div><div class="">    #xauth=server</div><div class="">    left=%defaultroute</div><div class="">    #We want split tunneling</div><div class="">    #leftsubnet=<a href="http://0.0.0.0/0" target="_blank" class="">0.0.0.0/0</a></div><div class="">    leftsubnet=<a href="http://192.168.44.1/24" target="_blank" class="">192.168.44.1/24</a></div><div class="">    leftfirewall=yes</div><div class="">    right=%any</div><div class="">    #rightsubnet=<a href="http://192.168.44.0/24" target="_blank" class="">192.168.44.0/24</a></div><div class="">    rightsourceip=<a href="http://192.168.40.0/24" target="_blank" class="">192.168.40.0/24</a></div><div class="">    #We push DNS for split DNS via charon attr plugin</div><div class="">    rightdns=x.x.x.x</div><div class="">    auto=add</div><div class="">    forceencaps=yes</div><div class="">    # We are using xatuh-pam for two factor authentication</div><div class="">    leftauth=psk</div><div class="">    rightauth=psk</div><div class="">    rightauth2=xauth-pam</div><div class="">    #Make a connection valid for maximun 4hour</div><div class="">    lifetime=4h</div><div class=""><br class=""></div><div class="">conn iosikev2</div><div class="">    dpdaction=clear</div><div class="">    dpddelay=15s</div><div class="">    dpdtimeout=45s</div><div class="">    keyexchange=ikev2</div><div class="">    #This is for authenticaton in ipsec.secret</div><div class="">    #authby=xauthpsk</div><div class="">    #xauth=server</div><div class="">    left=%defaultroute</div><div class="">    #We want split tunneling</div><div class="">    #leftsubnet=<a href="http://0.0.0.0/0" target="_blank" class="">0.0.0.0/0</a></div><div class="">    leftsubnet=<a href="http://192.168.44.1/24" target="_blank" class="">192.168.44.1/24</a></div><div class="">    leftfirewall=yes</div><div class="">    leftid=x.x.x.x</div><div class="">    esp=aes128-sha1,3des-sha1,3des-sha2_256</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">    right=%any</div><div class="">    #rightsubnet=<a href="http://192.168.44.0/24" target="_blank" class="">192.168.44.0/24</a></div><div class="">    rightsourceip=<a href="http://192.168.40.0/24" target="_blank" class="">192.168.40.0/24</a></div><div class="">    #We push DNS for split DNS via charon attr plugin</div><div class="">    rightdns=192.168.44.1 </div><div class="">    auto=add</div><div class="">    forceencaps=yes</div><div class="">    # We are using xatuh-pam for two factor authentication</div><div class="">    leftauth=psk</div><div class="">    # rightauth = secret works</div><div class="">    rightauth=secret</div><div class="">    #rightauth=xauth</div><div class=""><br class=""></div><div class="">    #rightauth=eap-gtc</div><div class="">    #rightauth2=xauth-pam</div><div class="">    #Make a connection valid for maximun 4hour</div><div class="">    lifetime=4h</div><div class="">    rekey=no</div><div class="">    ikelifetime=10800s</div><div class="">    rekeyfuzz=100%</div><div class="">    pfs=no</div></div><div class=""><br class=""></div>And charon attr<div class=""><br class=""></div><div class=""><div class="">attr {</div><div class=""><br class=""></div><div class="">    # <attr> is an attribute name or an integer, values can be an IP address,</div><div class="">    # subnet or arbitrary value.</div><div class="">    # <attr> =</div><div class=""><br class=""></div><div class="">    # Whether to load the plugin. Can also be an integer to increase the</div><div class="">    # priority of this plugin.</div><div class="">    load = yes</div><div class="">    split-include=<a href="http://192.168.44.0/24" target="_blank" class="">192.168.44.0/24</a></div><div class="">    split-exclude=<a href="http://0.0.0.0/0" target="_blank" class="">0.0.0.0/0</a></div><div class=""><br class=""></div><div class="">    28672 = "Connected to VPN"</div><div class="">    28675 = domain_prefix </div><div class=""><br class=""></div><div class="">    dns = x.x.x.x,x.x.x.x</div><div class="">}</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 = "Connected to VPN"` worked too, because after connecting sucesfully, I saw the message. However the DNS of `28675` isn't working. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I tried to tweak lots of setting from those page. Tried to use both of ikev1 and ikev2.</div><div class=""><a href="https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers" target="_blank" class="">https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers</a></div><div class=""><a href="https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers" target="_blank" class="">https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers</a></div><div class=""><a href="https://wiki.strongswan.org/issues/317" target="_blank" class="">https://wiki.strongswan.org/issues/317</a></div><div class=""><a href="https://wiki.strongswan.org/issues/261" target="_blank" class="">https://wiki.strongswan.org/issues/261</a></div><div class=""><br class=""></div><div class="">But so far no lucks...</div><div class=""><br class=""></div><div class="">The fact that it works on Mac OS X, Android (split tunneling + split dns) make me think that the issue is on iOS client.</div><div class=""><br class=""></div><div class="">When connection, I saw this log</div><div class=""><br class=""></div><div class="">```</div><div class=""><div class="">04[IKE] peer requested virtual IP %any</div><div class="">04[CFG] assigning new lease to 'vinh'</div><div class="">04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'</div><div class="">04[IKE] peer requested virtual IP %any6</div><div class="">04[IKE] no virtual IP found for %any6 requested by 'vinh'</div><div class="">04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o and TS <a href="http://192.168.44.0/24" target="_blank" class="">192.168.44.0/24</a> === <a href="http://192.168.40.1/32" target="_blank" class="">192.168.40.1/32</a></div><div class="">04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]</div><div class="">04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)</div></div><div class="">```</div><div class=""><br class=""></div><div class="">That makes me think strongswan does push instruction to set DNS.</div><div class=""><br class=""></div><div class="">Has anyone ever got Split DNS work on iOS? If so, can you let me reference your configuration.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></div></div><br class="">_______________________________________________<br class="">
Users mailing list<br class="">
<a href="mailto:Users@lists.strongswan.org" target="_blank" class="">Users@lists.strongswan.org</a><br class="">
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank" class="">https://lists.strongswan.org/mailman/listinfo/users</a><span class=""><font color="#888888" class=""><br class=""></font></span></blockquote></div><span class=""><font color="#888888" class=""><br class=""><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class="">"Over vidden flyger renen;<br class="">efter den i vind og væde! -<br class="">Bedre det, end bryde stenen<br class="">op af fattig jord dernede!" </div>
</font></span></div>
<br class="">_______________________________________________<br class="">
Users mailing list<br class="">
<a href="mailto:Users@lists.strongswan.org" target="_blank" class="">Users@lists.strongswan.org</a><br class="">
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank" class="">https://lists.strongswan.org/mailman/listinfo/users</a><br class=""></blockquote></div><br class=""><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""></div></div><div class="">Segmentation fault</div>
</div>
</blockquote></div><br class=""><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class="">"Over vidden flyger renen;<br class="">efter den i vind og væde! -<br class="">Bedre det, end bryde stenen<br class="">op af fattig jord dernede!" </div>
</div>
</div></div></blockquote></div><br class=""><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class="gmail_signature">"Over vidden flyger renen;<br class="">efter den i vind og væde! -<br class="">Bedre det, end bryde stenen<br class="">op af fattig jord dernede!" </div>
</div>
</div></blockquote></div><br class=""></div></div></body></html>