[strongSwan] Spliting DNS, assign DNS with iphone on either ikev1/ikev2 fail

Vinh Nguyen vinh at noty.im
Fri Oct 2 00:22:45 CEST 2015 

Hi all,

I'm having a hard time to configured split DNS for ios. The configuration works for all client, mac osx built-in client using ikev1, and Android works too.

On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I can see strongswan is pushing DNS from the log.

Split tunneling does work. I can use private IP totally fine. But it's just that the iphone client doesn't set the VPN correctly.

I have this configuration in ipsec.conf

config setup
  # strictcrlpolicy=yes
  # uniqueids = no
    cachecrls=yes
    uniqueids=yes

    plutostart=yes
    nat_traversal=yes

    # Debug remove later
    charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"

conn ikev1
    dpdaction=clear
    dpddelay=15s
    dpdtimeout=45s
    keyexchange=ikev1
    #This is for authenticaton in ipsec.secret
    #authby=xauthpsk
    #xauth=server
    left=%defaultroute
    #We want split tunneling
    #leftsubnet=0.0.0.0/0
    leftsubnet=192.168.44.1/24
    leftfirewall=yes
    right=%any
    #rightsubnet=192.168.44.0/24
    rightsourceip=192.168.40.0/24
    #We push DNS for split DNS via charon attr plugin
    rightdns=x.x.x.x
    auto=add
    forceencaps=yes
    # We are using xatuh-pam for two factor authentication
    leftauth=psk
    rightauth=psk
    rightauth2=xauth-pam
    #Make a connection valid for maximun 4hour
    lifetime=4h

conn iosikev2
    dpdaction=clear
    dpddelay=15s
    dpdtimeout=45s
    keyexchange=ikev2
    #This is for authenticaton in ipsec.secret
    #authby=xauthpsk
    #xauth=server
    left=%defaultroute
    #We want split tunneling
    #leftsubnet=0.0.0.0/0
    leftsubnet=192.168.44.1/24
    leftfirewall=yes
    leftid=x.x.x.x
    esp=aes128-sha1,3des-sha1,3des-sha2_256


    right=%any
    #rightsubnet=192.168.44.0/24
    rightsourceip=192.168.40.0/24
    #We push DNS for split DNS via charon attr plugin
    rightdns=192.168.44.1
    auto=add
    forceencaps=yes
    # We are using xatuh-pam for two factor authentication
    leftauth=psk
    # rightauth = secret works
    rightauth=secret
    #rightauth=xauth

    #rightauth=eap-gtc
    #rightauth2=xauth-pam
    #Make a connection valid for maximun 4hour
    lifetime=4h
    rekey=no
    ikelifetime=10800s
    rekeyfuzz=100%
    pfs=no

And charon attr

attr {

    # <attr> is an attribute name or an integer, values can be an IP address,
    # subnet or arbitrary value.
    # <attr> =

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes
    split-include=192.168.44.0/24
    split-exclude=0.0.0.0/0

    28672 = "Connected to VPN"
    28675 = domain_prefix

    dns = x.x.x.x,x.x.x.x
}


ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 = "Connected to VPN"` worked too, because after connecting sucesfully, I saw the message. However the DNS of `28675` isn't working.



I tried to tweak lots of setting from those page. Tried to use both of ikev1 and ikev2.
https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers <https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers>
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers <https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers>
https://wiki.strongswan.org/issues/317 <https://wiki.strongswan.org/issues/317>
https://wiki.strongswan.org/issues/261 <https://wiki.strongswan.org/issues/261>

But so far no lucks...

The fact that it works on Mac OS X, Android (split tunneling + split dns) make me think that the issue is on iOS client.

When connection, I saw this log

```
04[IKE] peer requested virtual IP %any
04[CFG] assigning new lease to 'vinh'
04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'
04[IKE] peer requested virtual IP %any6
04[IKE] no virtual IP found for %any6 requested by 'vinh'
04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o and TS 192.168.44.0/24 === 192.168.40.1/32
04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)
```

That makes me think strongswan does push instruction to set DNS.

Has anyone ever got Split DNS work on iOS? If so, can you let me reference your configuration.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151001/b2a222af/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151001/b2a222af/attachment.pgp>

More information about the Users mailing list