[strongSwan] Strongswan 5.0.4 - RoadWarrior DNS Configuration (RIGHTDNS)?

Paton, Andy andy.paton at hp.com
Tue Jun 25 13:34:21 CEST 2013 

All,

Thanks for you help on this one, for future reference (if anyone stumbles across this problem) then my issue was:

Ipv4_forwarding

It turns out that somewhere between trying to make this work on Version 4.X of SS, and upgrading to Version 5.0.4, I managed to forget to enable ip forwarding.

As soon as this was enabled the "rightdns=XXX.XXX.XXX.XXX" worked, and I now have connection specific DNS working nicely.

Regards,

Andy


-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de] 
Sent: 24 June 2013 15:30
To: Paton, Andy
Subject: Re: [strongSwan] Strongswan 5.0.4 - RoadWarrior DNS Configuration (RIGHTDNS)?

Hello Andy,

You can set "dns1" and "dns2" in libstrongswan.conf in the charon section.
These lines specifiy the dns servers that are to be sent to the peers.

Regards,
Noel

Am 17.06.2013 11:04, schrieb Paton, Andy:
>
> All,
>
> I was wondering if anyone had any thoughts on the below?
>
> It doesn't appear that *rightdns* is adding entries to the resolv.conf 
> file?
>
> Manually adding entries to this file also seem to appear to fail DNS 
> lookup when accessing over the tunnel, however the local machine
> (Gateway) is able to resolve the names.
>
> Regards,
>
> *Andy Paton
> *
> HP <http://www.hp.com/>
>
> *From:*Paton, Andy
> *Sent:* 14 June 2013 09:29
> *To:* users at lists.strongswan.org
> *Subject:* Strongswan 5.0.4 - RoadWarrior DNS Configuration (RIGHTDNS)?
>
> Hello,
>
> Following on from some of my further questions on the subject, I am in 
> the process of creating a demo for a unified IPSEC gateway with 
> StrongSwan and my latest challenge is DNS configuration.
>
> In my configuration I multiple backend subnets, for distinct systems.
> Each of these subnets has their own DNS server.
>
> Ideally I *don't* want to promote a DNS server / forwarder to the edge 
> of my network, and would like Strongswan to handle the client DNS 
> configuration. To that end I believe since StrongSwan 5.0.4 there is 
> the ability to specify *rightdns=xxx.xxx.xxx.xxx *in the configuration.
>
> However this doesn't appear to be working for me - as the connected 
> clients are not being sent over to the DNS servers.
>
> My current config (for the connection)
>
> conn group1
> left=10.1.0.2 <http://10.1.0.2>
> leftcert=vpnserver.crt
> leftsubnet=172.17.81.128/27 <http://172.17.81.128/27> 
> leftid=vpnserver.of.our.company.fqdn
> leftfirewall=yes
> right=%any
> rightid="DC=de, DC=company, O=Companyname, OU=group1 certificate, CN=*"
> rightsourceip=10.0.50.0/24 <http://10.0.50.0/24>
>
> rightdns=172.17.81.142
> auto=add
>
> conn group2
> left=10.1.0.2 <http://10.1.0.2>
> leftcert=vpnserver.crt
> leftsubnet=162.17.81.128/27
> leftid=vpnserver.of.our.company.fqdn
> leftfirewall=yes
> right=%any
> rightid="DC=de, DC=company, O=Companyname, OU=group2 certificate, CN=*"
>
> rightdns=162.17.81.142
> rightsourceip=10.0.60.0/24 <http://10.0.60.0/24>
>
> And the content from Strongswan.conf (not changed from the default 
> install).
>
> What am I missing here?
>
>
> Regards,
>
> *Andy Paton
> *Business Development Solution Architect ATLAS CTOSD UK Public Sector 
> Defence, Home & Foreign Affairs
>
> andy.paton at hp.com <mailto:andy.paton at hp.com> M +44 7786 748 199 HP 
> Enterprise Services Defence & Security UK Ltd Registered Office:
> Cain Road
> Bracknell, Berkshire, RG12 1HN
> United Kingdom
>
> HP <http://www.hp.com/>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list