[strongSwan] Private DNS problem with IOS / Unity

Noel Kuntze noel at familie-kuntze.de
Sat Sep 6 21:53:02 CEST 2014

Hash: SHA256


I think it is a problem with iOS not applying the DNS server settings,
which are pushed to it with mode config, if split tunneling is used.
The solution to this is, as you found out, to push as leftsubnet.
You probably also want to split_exclude the usual WLAN hotspot LANs

Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 06.09.2014 um 21:08 schrieb Raoul Duke:
> Hi,
> I'm still having this problem.  Any suggestions about things I could
> do to debug it further?
> Thanks.
> RD
> On Fri, Jul 11, 2014 at 9:45 PM, Raoul Duke <rduke496 at gmail.com> wrote:
>> Hi,
>> I'm using strongswan 5.1.1 with IOS devices and split tunneling via
>> the Unity plugin.
>> Here is the relevant snippet of my strongswan.conf:
>>         dns1 =
>>         dns2 =
>>         cisco_unity = yes
>>         plugins {
>>                 attr {
>>                         split-include =
>>                 }
>> The DNS server IPs are only available on the internal network.
>> My goal is to be able to access a webserver at via a DNS
>> name (foo.bar.com, lets say).  The private DNS servers know how to
>> resolve foo.bar.com to
>> My problem is: when I am on the VPN the split tunnel will allow me to
>> hit the webserver by IP address ( but *not* by DNS name.
>> This suggests to me that the DNS requests are not going to the private
>> DNS server are are either using my wifi DNS servers (which won't be
>> able to resolve the name) or the DNS requests are getting tunneled but
>> black-holed somehow.  My bet is the former but I have not verified it
>> via packet capture.
>> Since the split-include subnet encompasses the IPs of the DNS servers
>> so I am at a loss to understand what the issue could be - and IOS
>> clients are not too simple to debug in this regard.  Is there
>> something simple I am missing here?
>> When I use full tunnel mode (rather than split) for IOS the DNS name
>> resolves fine, which indicates to me that in the case the
>> private DNS servers are being used.
>> Also, when using ikev2 with Android (strongswan client) I can
>> configure a lefsubnet of and get the behaviour I expect
>> in that case i.e. I can use the domain name to hit the webserver.
>> Is my configuration/expectations in the IOS case correct?  is there
>> anything else I need to do to force the use of the private DNS server
>> in the split tunnel case.
>> Or otherwise - I'd be grateful for any suggestions / ideas / pointers
>> on how to troubleshoot this?
>> Thanks.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2


More information about the Users mailing list