[strongSwan] StrongSwan Mac OS X app & DNS

Martin Willi martin at strongswan.org
Tue Mar 24 14:49:40 CET 2015


Hi Ken,

> Not sure if keeping the current DNS servers installed is the best
> approach, maybe we should remove the previous servers. But we
> currently just add them to have them as a fallback.

I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending
the servers to the list, it replaces the default servers and also
restores them. This probably gives a somewhat more predictable behavior,
but of course disables any fallback for DNS queries.

Unfortunately, that does not seem to resolve all issues. Some
applications (Google Chrome) resolve DNS names just fine over the
configured servers, others (Safari) don't use them. Not sure how we can
trick all applications to use these servers.

/etc/resolv.conf, by the way, does not seem to get updated at all
anymore. The file has been touched the last time Oct 17th, which exactly
correlates to the time Yosemite has been installed. Most likely all C
library calls rely on System Configuration these days?

> Out of curiosity, why is the DNS server added to the PrimaryService
> store State:/Network/Service/97E8D482-1E2D-4743-B18D-FCA53A7151A7/DNS
> instead of State:/Network/Global/DNS

AFAICS, DNS servers get configured on the interface (service), and if
that is active get propagated to the global configuration. 

> where the System Preferences->Network configured servers are stored?

To me it more looks like you configure DNS servers for each interface.
The servers of the active/primary interface then get used.

While we install an utun device to forward traffic over libipsec, that
interface does not have a "service" in the sense of System
Configuration. We therefore assign DNS servers to the primary service,
which is for your physical interface. Possible that this doesn't work
that well anymore...

> Also, is there any way to associate a search domain with the DNS server
> sent by the VPN gateway?

No. IKEv2 does actually not support negotiating search domains for DNS
servers, and a manual/local configuration is currently not implemented.

> I would like to use EAP-GTC authentication with the Mac app and would
> be willing to modify the app to add this feature.

The new build additionally comes with the eap-gtc plugin.

Regards
Martin

[1]http://download.strongswan.org/osx/strongswan-5.3.0-1.app.zip



More information about the Users mailing list