[strongSwan] Private DNS problem with IOS / Unity

[Raoul Duke]

Hi,

I'm using strongswan 5.1.1 with IOS devices and split tunneling via
the Unity plugin.

Here is the relevant snippet of my strongswan.conf:

        dns1 = 10.99.17.4
        dns2 = 10.99.18.4

        cisco_unity = yes

        plugins {
                attr {
                        split-include = 10.99.0.0/16
                }

The DNS server IPs are only available on the internal network.

My goal is to be able to access a webserver at 10.99.20.100 via a DNS
name (foo.bar.com, lets say).  The private DNS servers know how to
resolve foo.bar.com to 10.99.20.100

My problem is: when I am on the VPN the split tunnel will allow me to
hit the webserver by IP address (10.99.20.100) but *not* by DNS name.

This suggests to me that the DNS requests are not going to the private
DNS server are are either using my wifi DNS servers (which won't be
able to resolve the name) or the DNS requests are getting tunneled but
black-holed somehow.  My bet is the former but I have not verified it
via packet capture.

Since the split-include subnet encompasses the IPs of the DNS servers
so I am at a loss to understand what the issue could be - and IOS
clients are not too simple to debug in this regard.  Is there
something simple I am missing here?

When I use full tunnel mode (rather than split) for IOS the DNS name
resolves fine, which indicates to me that in the 0.0.0.0/0 case the
private DNS servers are being used.

Also, when using ikev2 with Android (strongswan client) I can
configure a lefsubnet of  10.99.0.0/16 and get the behaviour I expect
in that case i.e. I can use the domain name to hit the webserver.

Is my configuration/expectations in the IOS case correct?  is there
anything else I need to do to force the use of the private DNS server
in the split tunnel case.

Or otherwise - I'd be grateful for any suggestions / ideas / pointers
on how to troubleshoot this?

Thanks.