[strongSwan] StrongSwan Mac OS X app & DNS

Ken Nelson ken at cazena.com
Tue Mar 24 18:39:13 CET 2015 

Deleted Mac app v5.2.2 (1) and installed the v5.3.0 (1) Mac app but could not get EAP-GTC to work.  It did prompt to install a new helper and that was done.

The VPN gateway has a working configuration for the Mac app v5.2.2 (1) using EAP-MD5.  To test Mac app v5.3.0 (1), a single modification was made to the VPN gateway configuration, replacing the line:

rightauth=eap-md5

with

rightauth=eap-gtc


Mac app log file snippet, just after the VPN gateway’s certificate was validated:

server requested EAP_IDENTITY (id 0x00), sending ’test'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 10.0.1.205[64405] to a.b.c.d[4500] (76 bytes)
received packet: from a.b.c.d[4500] to 10.0.1.205[64405] (92 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/GTC ]
server requested EAP_GTC authentication (id 0xD6)
EAP method not supported, sending EAP_NAK
generating IKE_AUTH request 3 [ EAP/RES/NAK ]
sending packet: from 10.0.1.205[64405] to a.b.c.d[4500] (76 bytes)
received packet: from a.b.c.d[4500] to 10.0.1.205[64405] (76 bytes)
parsed IKE_AUTH response 3 [ EAP/FAIL ]
received EAP_FAILURE, EAP authentication failed
generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
sending packet: from 10.0.1.205[64405] to a.b.c.d[4500] (76 bytes)


Is root cause the line:

EAP method not supported, sending EAP_NAK

???

I reverted the gateway configuration to specify eap-md5 and the v5.3.0 mac app created a working connection.



> On Mar 24, 2015, at 7:49 AM, Martin Willi <martin at strongswan.org> wrote:
> 
> Hi Ken,
> 
>> Not sure if keeping the current DNS servers installed is the best
>> approach, maybe we should remove the previous servers. But we
>> currently just add them to have them as a fallback.
> 
> I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending
> the servers to the list, it replaces the default servers and also
> restores them. This probably gives a somewhat more predictable behavior,
> but of course disables any fallback for DNS queries.
> 
> Unfortunately, that does not seem to resolve all issues. Some
> applications (Google Chrome) resolve DNS names just fine over the
> configured servers, others (Safari) don't use them. Not sure how we can
> trick all applications to use these servers.
> 
> /etc/resolv.conf, by the way, does not seem to get updated at all
> anymore. The file has been touched the last time Oct 17th, which exactly
> correlates to the time Yosemite has been installed. Most likely all C
> library calls rely on System Configuration these days?
> 
>> Out of curiosity, why is the DNS server added to the PrimaryService
>> store State:/Network/Service/97E8D482-1E2D-4743-B18D-FCA53A7151A7/DNS
>> instead of State:/Network/Global/DNS
> 
> AFAICS, DNS servers get configured on the interface (service), and if
> that is active get propagated to the global configuration. 
> 
>> where the System Preferences->Network configured servers are stored?
> 
> To me it more looks like you configure DNS servers for each interface.
> The servers of the active/primary interface then get used.
> 
> While we install an utun device to forward traffic over libipsec, that
> interface does not have a "service" in the sense of System
> Configuration. We therefore assign DNS servers to the primary service,
> which is for your physical interface. Possible that this doesn't work
> that well anymore...
> 
>> Also, is there any way to associate a search domain with the DNS server
>> sent by the VPN gateway?
> 
> No. IKEv2 does actually not support negotiating search domains for DNS
> servers, and a manual/local configuration is currently not implemented.
> 
>> I would like to use EAP-GTC authentication with the Mac app and would
>> be willing to modify the app to add this feature.
> 
> The new build additionally comes with the eap-gtc plugin.
> 
> Regards
> Martin
> 
> [1]http://download.strongswan.org/osx/strongswan-5.3.0-1.app.zip
>

More information about the Users mailing list