[strongSwan] Private DNS problem with IOS / Unity

Raoul Duke rduke496 at gmail.com
Sat Sep 6 21:08:24 CEST 2014


I'm still having this problem.  Any suggestions about things I could
do to debug it further?


On Fri, Jul 11, 2014 at 9:45 PM, Raoul Duke <rduke496 at gmail.com> wrote:
> Hi,
> I'm using strongswan 5.1.1 with IOS devices and split tunneling via
> the Unity plugin.
> Here is the relevant snippet of my strongswan.conf:
>         dns1 =
>         dns2 =
>         cisco_unity = yes
>         plugins {
>                 attr {
>                         split-include =
>                 }
> The DNS server IPs are only available on the internal network.
> My goal is to be able to access a webserver at via a DNS
> name (foo.bar.com, lets say).  The private DNS servers know how to
> resolve foo.bar.com to
> My problem is: when I am on the VPN the split tunnel will allow me to
> hit the webserver by IP address ( but *not* by DNS name.
> This suggests to me that the DNS requests are not going to the private
> DNS server are are either using my wifi DNS servers (which won't be
> able to resolve the name) or the DNS requests are getting tunneled but
> black-holed somehow.  My bet is the former but I have not verified it
> via packet capture.
> Since the split-include subnet encompasses the IPs of the DNS servers
> so I am at a loss to understand what the issue could be - and IOS
> clients are not too simple to debug in this regard.  Is there
> something simple I am missing here?
> When I use full tunnel mode (rather than split) for IOS the DNS name
> resolves fine, which indicates to me that in the case the
> private DNS servers are being used.
> Also, when using ikev2 with Android (strongswan client) I can
> configure a lefsubnet of and get the behaviour I expect
> in that case i.e. I can use the domain name to hit the webserver.
> Is my configuration/expectations in the IOS case correct?  is there
> anything else I need to do to force the use of the private DNS server
> in the split tunnel case.
> Or otherwise - I'd be grateful for any suggestions / ideas / pointers
> on how to troubleshoot this?
> Thanks.

More information about the Users mailing list