[strongSwan] Private DNS problem with IOS / Unity

Raoul Duke rduke496 at gmail.com
Sat Sep 6 21:08:24 CEST 2014


Hi,

I'm still having this problem.  Any suggestions about things I could
do to debug it further?

Thanks.
RD

On Fri, Jul 11, 2014 at 9:45 PM, Raoul Duke <rduke496 at gmail.com> wrote:
> Hi,
>
> I'm using strongswan 5.1.1 with IOS devices and split tunneling via
> the Unity plugin.
>
> Here is the relevant snippet of my strongswan.conf:
>
>         dns1 = 10.99.17.4
>         dns2 = 10.99.18.4
>
>         cisco_unity = yes
>
>         plugins {
>                 attr {
>                         split-include = 10.99.0.0/16
>                 }
>
> The DNS server IPs are only available on the internal network.
>
> My goal is to be able to access a webserver at 10.99.20.100 via a DNS
> name (foo.bar.com, lets say).  The private DNS servers know how to
> resolve foo.bar.com to 10.99.20.100
>
> My problem is: when I am on the VPN the split tunnel will allow me to
> hit the webserver by IP address (10.99.20.100) but *not* by DNS name.
>
> This suggests to me that the DNS requests are not going to the private
> DNS server are are either using my wifi DNS servers (which won't be
> able to resolve the name) or the DNS requests are getting tunneled but
> black-holed somehow.  My bet is the former but I have not verified it
> via packet capture.
>
> Since the split-include subnet encompasses the IPs of the DNS servers
> so I am at a loss to understand what the issue could be - and IOS
> clients are not too simple to debug in this regard.  Is there
> something simple I am missing here?
>
> When I use full tunnel mode (rather than split) for IOS the DNS name
> resolves fine, which indicates to me that in the 0.0.0.0/0 case the
> private DNS servers are being used.
>
> Also, when using ikev2 with Android (strongswan client) I can
> configure a lefsubnet of  10.99.0.0/16 and get the behaviour I expect
> in that case i.e. I can use the domain name to hit the webserver.
>
> Is my configuration/expectations in the IOS case correct?  is there
> anything else I need to do to force the use of the private DNS server
> in the split tunnel case.
>
> Or otherwise - I'd be grateful for any suggestions / ideas / pointers
> on how to troubleshoot this?
>
> Thanks.


More information about the Users mailing list