[strongSwan] Private DNS problem with IOS / Unity

Noel Kuntze noel at familie-kuntze.de
Sat Sep 6 21:53:02 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

I think it is a problem with iOS not applying the DNS server settings,
which are pushed to it with mode config, if split tunneling is used.
The solution to this is, as you found out, to push 0.0.0.0/0 as leftsubnet.
You probably also want to split_exclude the usual WLAN hotspot LANs
like 192.168.0.0/16.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 06.09.2014 um 21:08 schrieb Raoul Duke:
> Hi,
>
> I'm still having this problem.  Any suggestions about things I could
> do to debug it further?
>
> Thanks.
> RD
>
> On Fri, Jul 11, 2014 at 9:45 PM, Raoul Duke <rduke496 at gmail.com> wrote:
>> Hi,
>>
>> I'm using strongswan 5.1.1 with IOS devices and split tunneling via
>> the Unity plugin.
>>
>> Here is the relevant snippet of my strongswan.conf:
>>
>>         dns1 = 10.99.17.4
>>         dns2 = 10.99.18.4
>>
>>         cisco_unity = yes
>>
>>         plugins {
>>                 attr {
>>                         split-include = 10.99.0.0/16
>>                 }
>>
>> The DNS server IPs are only available on the internal network.
>>
>> My goal is to be able to access a webserver at 10.99.20.100 via a DNS
>> name (foo.bar.com, lets say).  The private DNS servers know how to
>> resolve foo.bar.com to 10.99.20.100
>>
>> My problem is: when I am on the VPN the split tunnel will allow me to
>> hit the webserver by IP address (10.99.20.100) but *not* by DNS name.
>>
>> This suggests to me that the DNS requests are not going to the private
>> DNS server are are either using my wifi DNS servers (which won't be
>> able to resolve the name) or the DNS requests are getting tunneled but
>> black-holed somehow.  My bet is the former but I have not verified it
>> via packet capture.
>>
>> Since the split-include subnet encompasses the IPs of the DNS servers
>> so I am at a loss to understand what the issue could be - and IOS
>> clients are not too simple to debug in this regard.  Is there
>> something simple I am missing here?
>>
>> When I use full tunnel mode (rather than split) for IOS the DNS name
>> resolves fine, which indicates to me that in the 0.0.0.0/0 case the
>> private DNS servers are being used.
>>
>> Also, when using ikev2 with Android (strongswan client) I can
>> configure a lefsubnet of  10.99.0.0/16 and get the behaviour I expect
>> in that case i.e. I can use the domain name to hit the webserver.
>>
>> Is my configuration/expectations in the IOS case correct?  is there
>> anything else I need to do to force the use of the private DNS server
>> in the split tunnel case.
>>
>> Or otherwise - I'd be grateful for any suggestions / ideas / pointers
>> on how to troubleshoot this?
>>
>> Thanks.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUC2YdAAoJEDg5KY9j7GZYSrEP/1OiQLhbIJ2Jrb2mi2lZ9KEL
QBaEaGlnHIHbmnK3oN8ZSTkNXX6KbDgAogDgpHSQTlEmGfGhIPBHzCWiB92LftLE
k5AjdZyB8tiv331xRE9MUOvPd24UGHvaqzLmMw8iMoBH07cG/ggYCLvsjx0yCfmE
7RTa0EBK6MyF6Kwo+ysCRrUda6koSr8melkT6Uv/ivNvBgbeIWn5ebwPDIzqk4Ud
bk/EETDpgiYf5Z9yE/qN2zUBFQmDe/jbOACYfTEel8RVDMr8TP1o66V6J4G0G2xA
8CKmCkJisWx1pJd2mhyGOYEb6l+xWVRu26/+kuK++1isO0tUkBaGN9RL76peX/3+
c4Hi4+H/ms0Ldt47Cnxih9x0GT0g773wlHQKrrjWX5oCIqLPafYJQ+PRKjcQfzVl
8qpxnGCmy/0POWek5CvVL4IOnbYzZLaHMaAaeNW6N9+1oUFB6i5sQzactklBN46X
a3RyIdq5+RX+ayblcExd4Ylrbq7pn0iLrUDhnNete8cR8Hgvu4poZlnrHLtbnruJ
JfjjxZdqnAP5AKi0Ap5bSYfZXpj+CsNIv38IDMRv/37ieGJpyAATMJepBDe5qqTR
dKwnyURaEEejTPIhq6A6w4X/q2i6XwC1vf9Rn+t/2ql7O0RiW1j0BQaoMiryFPWu
hTHMm4G7+k8/wLPi91uJ
=CTOM
-----END PGP SIGNATURE-----

More information about the Users mailing list