[strongSwan] StrongSwan Mac OS X app questions

Ken Nelson ken at cazena.com
Thu Mar 19 21:27:26 CET 2015 

Thanks to martin & Fred for your responses.  I’m still having tunnel DNS server configuration trouble on the Mac client.

Configuration is strongSwan OS X app version 5.2.2 (1) on OS X Yosemite v10.10.2 connecting to a StrongSwan version 5.2.2 gateway on Centos 6.6.

Here is the scutil output.  It looks like this both before and after the StrongSwan Mac app creates the tunnel.

$ sudo scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 72.250.183.10
  nameserver[1] : 72.250.183.20
  nameserver[2] : 10.100.36.2
  nameserver[3] : 8.8.8.8
  nameserver[4] : 8.8.4.4
  flags    : Request A records
  reach    : Reachable

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 72.250.183.10
  nameserver[1] : 72.250.183.20
  nameserver[2] : 10.100.36.2
  nameserver[3] : 8.8.8.8
  nameserver[4] : 8.8.4.4
  if_index : 4 (en3)
  flags    : Scoped, Request A records
  reach    : Reachable


Here’s a part of the StrongSwan Mac app log, showing the installation of the DNS server.  The displayed address is the configured one on the VPN gateway.

scheduling rekeying in 35565s
maximum IKE_SA lifetime 36165s
handling UNITY_SPLIT_INCLUDE attribute failed
handling UNITY_LOCAL_LAN attribute failed
installing 10.8.65.164 as DNS server
handling UNITY_DEF_DOMAIN attribute failed
installing 10.8.65.164 as DNS server
installing new virtual IP 10.255.252.1
created TUN device: utun1


I don’t know that much about OS X DNS, other than it is not the /etc/resolv.conf flat file.

What can I do to get more visibility into root cause?



On Mar 16, 2015, at 3:18 AM, Fred <curious_freddy at gmsl.co.uk<mailto:curious_freddy at gmsl.co.uk>> wrote:

On 16/03/2015 08:23, Martin Willi wrote:
Ken,

Are there any issues with DNS & StrongSwan Mac OS X app?

The osx-attr plugin prepends the negotiated DNS servers to the currently
configured ones. You may check with scutil if that works as expected.

Not sure if keeping the current DNS servers installed is the best
approach, maybe we should remove the previous servers. But we currently
just add them to have them as a fallback.

In my case the local DNS server was being used instead of the DNS servers added by strongSwan. I could clearly see the them added in the both the strongSwan logfile and also in the output of scutil --dns.

If I deleted them all and then added just the ones via the VPN, it all worked fine.

Personally I think removing the previous servers would be better. This problem did go away in Yosemite so maybe it was a bug in previous versions of Mac OS X or odd expected behaviour.
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150319/60589bc2/attachment.html>

More information about the Users mailing list