<div dir="ltr">The fix is to use a configuration profile containing the ikev2 settings and some extra for the dns. I can confirm that this works and allows for split dns.<div><br></div><div>Example for <a href="http://test2.com">test2.com</a> and <a href="http://test3.com">test3.com</a></div><div><br></div><div><div> <key>DNS</key></div><div> <dict></div><div> <key>ServerAddresses</key></div><div> <array></div><div> <string>1.1.1.1</string></div><div> <string>2.2.2.2</string></div><div> </array></div><div> <key>SearchDomains</key></div><div> <array></div><div> <string><a href="http://test2.com">test2.com</a></string></div><div> <string><a href="http://test3.com">test3.com</a></string></div><div> </array></div><div> <key>SupplementalMatchDomains</key></div><div> <array></div><div> <string><a href="http://test2.com">test2.com</a></string></div><div> <string><a href="http://test3.com">test3.com</a></string></div><div> </array></div></div><div> </dict><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 15, 2015 at 8:06 PM, Roger Skjetlein <span dir="ltr"><<a href="mailto:rskjetlein@netrunner.nu" target="_blank">rskjetlein@netrunner.nu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I see that the dns payload is received by the client (os x 10.11) and installed, but not in way that allows the client to actually use the dns servers.<div><br></div><div>Only the dns received via dhcp through wifi are used.<br><div><br></div><div><div>rogers-mbp:~ roger$ scutil --dns</div><div>DNS configuration</div><div><br></div><div>resolver #1</div><div> search domain[0] : s******n</div><div> nameserver[0] : 10.0.10.100</div><div> if_index : 4 (en0)</div><div> flags : Request A records</div><div>Reachable</div><div><br></div><div>resolver #2</div><div> domain : local</div><div> options : mdns</div><div> timeout : 5</div><div> flags : Request A records</div><div>Not Reachable</div><div> order : 300000</div></div><div>.</div><div>.</div><div>.</div><div><div>DNS configuration (for scoped queries)</div><div><br></div><div>resolver #1</div><div> search domain[0] : s****n</div><div> nameserver[0] : 10.0.10.100</div><div> if_index : 4 (en0)</div><div> flags : Scoped, Request A records</div><div>Reachable</div><div><br></div><div>resolver #2</div><div> nameserver[0] : x.x.x.x</div><div> nameserver[1] : x.x.x.x</div><div> if_index : 10 (ipsec0)</div><div> flags : Scoped, Request A records</div><div>Reachable, Transient Connection, Connection Required, Automatic Connection On Demand</div></div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 15, 2015 at 6:45 PM, Марк Коренберг <span dir="ltr"><<a href="mailto:socketpair@gmail.com" target="_blank">socketpair@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I experience the same problem. Moreover, even just rightdns=... does not work. Not even talking about splitdns...<div><br></div><div>Also, it seems that splitdns (as cisco unity extension) works only with ikev1. I have no proof for that.</div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2015-10-15 17:42 GMT+05:00 Roger Skjetlein <span dir="ltr"><<a href="mailto:rskjetlein@netrunner.nu" target="_blank">rskjetlein@netrunner.nu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm connecting both ios 9 and osx 10.11 and experience the same problem.<div><br></div><div>The dns settings are pushed to the client and can be viewed by running 'scutil --dns'. However, the clients never uses the dns server assigned and i even have the same problem when manually configuring dns servers in the ikev2 vpn settings on client.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 2, 2015 at 12:22 AM, Vinh Nguyen <span dir="ltr"><<a href="mailto:vinh@noty.im" target="_blank">vinh@noty.im</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>Hi all,</div><div><br></div><div>I'm having a hard time to configured split DNS for ios. The configuration works for all client, mac osx built-in client using ikev1, and Android works too. </div><div><br></div><div>On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I can see strongswan is pushing DNS from the log.</div><div><br></div><div>Split tunneling does work. I can use private IP totally fine. But it's just that the iphone client doesn't set the VPN correctly. </div><div><br></div><div>I have this configuration in ipsec.conf</div><div><br></div><div><div>config setup</div><div> # strictcrlpolicy=yes</div><div> # uniqueids = no</div><div> cachecrls=yes</div><div> uniqueids=yes</div><div><br></div><div> plutostart=yes</div><div> nat_traversal=yes</div><div><br></div><div> # Debug remove later</div><div> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"</div><div><br></div><div>conn ikev1</div><div> dpdaction=clear</div><div> dpddelay=15s</div><div> dpdtimeout=45s</div><div> keyexchange=ikev1</div><div> #This is for authenticaton in ipsec.secret</div><div> #authby=xauthpsk</div><div> #xauth=server</div><div> left=%defaultroute</div><div> #We want split tunneling</div><div> #leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> leftsubnet=<a href="http://192.168.44.1/24" target="_blank">192.168.44.1/24</a></div><div> leftfirewall=yes</div><div> right=%any</div><div> #rightsubnet=<a href="http://192.168.44.0/24" target="_blank">192.168.44.0/24</a></div><div> rightsourceip=<a href="http://192.168.40.0/24" target="_blank">192.168.40.0/24</a></div><div> #We push DNS for split DNS via charon attr plugin</div><div> rightdns=x.x.x.x</div><div> auto=add</div><div> forceencaps=yes</div><div> # We are using xatuh-pam for two factor authentication</div><div> leftauth=psk</div><div> rightauth=psk</div><div> rightauth2=xauth-pam</div><div> #Make a connection valid for maximun 4hour</div><div> lifetime=4h</div><div><br></div><div>conn iosikev2</div><div> dpdaction=clear</div><div> dpddelay=15s</div><div> dpdtimeout=45s</div><div> keyexchange=ikev2</div><div> #This is for authenticaton in ipsec.secret</div><div> #authby=xauthpsk</div><div> #xauth=server</div><div> left=%defaultroute</div><div> #We want split tunneling</div><div> #leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> leftsubnet=<a href="http://192.168.44.1/24" target="_blank">192.168.44.1/24</a></div><div> leftfirewall=yes</div><div> leftid=x.x.x.x</div><div> esp=aes128-sha1,3des-sha1,3des-sha2_256</div><div><br></div><div><br></div><div> right=%any</div><div> #rightsubnet=<a href="http://192.168.44.0/24" target="_blank">192.168.44.0/24</a></div><div> rightsourceip=<a href="http://192.168.40.0/24" target="_blank">192.168.40.0/24</a></div><div> #We push DNS for split DNS via charon attr plugin</div><div> rightdns=192.168.44.1 </div><div> auto=add</div><div> forceencaps=yes</div><div> # We are using xatuh-pam for two factor authentication</div><div> leftauth=psk</div><div> # rightauth = secret works</div><div> rightauth=secret</div><div> #rightauth=xauth</div><div><br></div><div> #rightauth=eap-gtc</div><div> #rightauth2=xauth-pam</div><div> #Make a connection valid for maximun 4hour</div><div> lifetime=4h</div><div> rekey=no</div><div> ikelifetime=10800s</div><div> rekeyfuzz=100%</div><div> pfs=no</div></div><div><br></div>And charon attr<div><br></div><div><div>attr {</div><div><br></div><div> # <attr> is an attribute name or an integer, values can be an IP address,</div><div> # subnet or arbitrary value.</div><div> # <attr> =</div><div><br></div><div> # Whether to load the plugin. Can also be an integer to increase the</div><div> # priority of this plugin.</div><div> load = yes</div><div> split-include=<a href="http://192.168.44.0/24" target="_blank">192.168.44.0/24</a></div><div> split-exclude=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div><br></div><div> 28672 = "Connected to VPN"</div><div> 28675 = domain_prefix </div><div><br></div><div> dns = x.x.x.x,x.x.x.x</div><div>}</div><div><br></div><div><br></div><div>ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 = "Connected to VPN"` worked too, because after connecting sucesfully, I saw the message. However the DNS of `28675` isn't working. </div><div><br></div><div><br></div><div><br></div><div>I tried to tweak lots of setting from those page. Tried to use both of ikev1 and ikev2.</div><div><a href="https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers</a></div><div><a href="https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers</a></div><div><a href="https://wiki.strongswan.org/issues/317" target="_blank">https://wiki.strongswan.org/issues/317</a></div><div><a href="https://wiki.strongswan.org/issues/261" target="_blank">https://wiki.strongswan.org/issues/261</a></div><div><br></div><div>But so far no lucks...</div><div><br></div><div>The fact that it works on Mac OS X, Android (split tunneling + split dns) make me think that the issue is on iOS client.</div><div><br></div><div>When connection, I saw this log</div><div><br></div><div>```</div><div><div>04[IKE] peer requested virtual IP %any</div><div>04[CFG] assigning new lease to 'vinh'</div><div>04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'</div><div>04[IKE] peer requested virtual IP %any6</div><div>04[IKE] no virtual IP found for %any6 requested by 'vinh'</div><div>04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o and TS <a href="http://192.168.44.0/24" target="_blank">192.168.44.0/24</a> === <a href="http://192.168.40.1/32" target="_blank">192.168.40.1/32</a></div><div>04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]</div><div>04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)</div></div><div>```</div><div><br></div><div>That makes me think strongswan does push instruction to set DNS.</div><div><br></div><div>Has anyone ever got Split DNS work on iOS? If so, can you let me reference your configuration.</div><div><br></div><div><br></div><div><br></div></div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><span><font color="#888888"><br></font></span></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div>"Over vidden flyger renen;<br>efter den i vind og væde! -<br>Bedre det, end bryde stenen<br>op af fattig jord dernede!" </div>
</font></span></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br></div></div><div>Segmentation fault</div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div>"Over vidden flyger renen;<br>efter den i vind og væde! -<br>Bedre det, end bryde stenen<br>op af fattig jord dernede!" </div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">"Over vidden flyger renen;<br>efter den i vind og væde! -<br>Bedre det, end bryde stenen<br>op af fattig jord dernede!" </div>
</div>