[strongSwan] dns problem when using the dhcp plugin

Hasse Hagen Johansen hasse-strongswan at hagenjohansen.dk
Tue Dec 9 20:24:51 CET 2014

Hi Thanks for helping

The DHCP is assigning the right ip adress for the DNS server. I also 
tried it on a windows7 ipsec client from work today and it gets the 
right DNS assigned, but will still resolve to the external even though 
it asks the right DNS server.

I have found the problem. It is because I have made special rules for 
the static IP in the firewall that it works. The strongswan is running 
on openwrtand I think I made those firewall rules to get the VPN to hit 
the internal resolver so I will get the internal DNS instead of external

That is because the client will hit the "zone_wan" even though the 
ip-address is in the lan address range

So I have these rules:

Chain zone_wan (1 references)
target     prot opt source               destination
ACCEPT     udp  --             udp dpt:68
ACCEPT     icmp --             icmp type 8
ACCEPT     udp  --             udp dpt:500
ACCEPT     udp  --             udp dpt:4500
ACCEPT     tcp  --           tcp dpt:53
ACCEPT     udp  --           udp dpt:53
input_wan  all  --  
zone_wan_REJECT  all  --  

I did this as quick fix because I couldn't figure out how to match the 
vpn client as source. Is there anyway how to match packages coming from 
the vpn clients? Earlier when you had like a vpn interface in linux it 
would be easier. Then I could add it to the lan zone, but I don't know 
how it is done now?

Best Regards and sorry for the confusion


Den 09/12/14 kl. 10:13 skrev Martin Willi:
> Hi,
>> When using a static ip in the rightsourceip parameter the
>> client(android) is resolving my mailserver with the internal ip as it
>> should(because I set that up with the attr plugin), but when using
>> rightsourceip=%dhcp the settings for dns with attr plugin seems to be
>> ignored and then the client doesn't even get the dns assigned which the
>> dhcp says it should use (and then my mailserver resolves to the external
>> ip which cannot be accessed)
> Please note that the DHCP plugin forwards any DNS/WINS attributes it
> receives over DHCP to the client using IKE configuration attributes. If
> you have both the attr and the dhcp plugin enabled, strongSwan sends the
> DNS attributes of each backend.
> Does your DHCP server provide the correct DNS server address? If yes,
> you may try to disable the attr plugin.
>>>                           enc = 0
> Unfortunately, with that loglevel setting we don't see the messages
> encoded/decoded, which is actually very useful information. If you
> revert to the default loglevels, we'd see at least how many DNS
> attributes strongSwan assigns to the client.
> Regards
> Martin

More information about the Users mailing list