[strongSwan] Spliting DNS, assign DNS with iphone on either ikev1/ikev2 fail

Roger Skjetlein rskjetlein at netrunner.nu
Thu Oct 15 14:42:16 CEST 2015 

I'm connecting both ios 9 and osx 10.11 and experience the same problem.

The dns settings are pushed to the client and can be viewed by running
'scutil --dns'. However, the clients never uses the dns server assigned and
i even have the same problem when manually configuring dns servers in the
ikev2 vpn settings on client.



On Fri, Oct 2, 2015 at 12:22 AM, Vinh Nguyen <vinh at noty.im> wrote:

> Hi all,
>
> I'm having a hard time to configured split DNS for ios. The configuration
> works for all client, mac osx built-in client using ikev1, and Android
> works too.
>
> On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I
> can see strongswan is pushing DNS from the log.
>
> Split tunneling does work. I can use private IP totally fine. But it's
> just that the iphone client doesn't set the VPN correctly.
>
> I have this configuration in ipsec.conf
>
> config setup
>   # strictcrlpolicy=yes
>   # uniqueids = no
>     cachecrls=yes
>     uniqueids=yes
>
>     plutostart=yes
>     nat_traversal=yes
>
>     # Debug remove later
>     charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"
>
> conn ikev1
>     dpdaction=clear
>     dpddelay=15s
>     dpdtimeout=45s
>     keyexchange=ikev1
>     #This is for authenticaton in ipsec.secret
>     #authby=xauthpsk
>     #xauth=server
>     left=%defaultroute
>     #We want split tunneling
>     #leftsubnet=0.0.0.0/0
>     leftsubnet=192.168.44.1/24
>     leftfirewall=yes
>     right=%any
>     #rightsubnet=192.168.44.0/24
>     rightsourceip=192.168.40.0/24
>     #We push DNS for split DNS via charon attr plugin
>     rightdns=x.x.x.x
>     auto=add
>     forceencaps=yes
>     # We are using xatuh-pam for two factor authentication
>     leftauth=psk
>     rightauth=psk
>     rightauth2=xauth-pam
>     #Make a connection valid for maximun 4hour
>     lifetime=4h
>
> conn iosikev2
>     dpdaction=clear
>     dpddelay=15s
>     dpdtimeout=45s
>     keyexchange=ikev2
>     #This is for authenticaton in ipsec.secret
>     #authby=xauthpsk
>     #xauth=server
>     left=%defaultroute
>     #We want split tunneling
>     #leftsubnet=0.0.0.0/0
>     leftsubnet=192.168.44.1/24
>     leftfirewall=yes
>     leftid=x.x.x.x
>     esp=aes128-sha1,3des-sha1,3des-sha2_256
>
>
>     right=%any
>     #rightsubnet=192.168.44.0/24
>     rightsourceip=192.168.40.0/24
>     #We push DNS for split DNS via charon attr plugin
>     rightdns=192.168.44.1
>     auto=add
>     forceencaps=yes
>     # We are using xatuh-pam for two factor authentication
>     leftauth=psk
>     # rightauth = secret works
>     rightauth=secret
>     #rightauth=xauth
>
>     #rightauth=eap-gtc
>     #rightauth2=xauth-pam
>     #Make a connection valid for maximun 4hour
>     lifetime=4h
>     rekey=no
>     ikelifetime=10800s
>     rekeyfuzz=100%
>     pfs=no
>
> And charon attr
>
> attr {
>
>     # <attr> is an attribute name or an integer, values can be an IP
> address,
>     # subnet or arbitrary value.
>     # <attr> =
>
>     # Whether to load the plugin. Can also be an integer to increase the
>     # priority of this plugin.
>     load = yes
>     split-include=192.168.44.0/24
>     split-exclude=0.0.0.0/0
>
>     28672 = "Connected to VPN"
>     28675 = domain_prefix
>
>     dns = x.x.x.x,x.x.x.x
> }
>
>
> ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 =
> "Connected to VPN"` worked too, because after connecting sucesfully, I saw
> the message. However the DNS of `28675` isn't working.
>
>
>
> I tried to tweak lots of setting from those page. Tried to use both of
> ikev1 and ikev2.
>
> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers
> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers
> https://wiki.strongswan.org/issues/317
> https://wiki.strongswan.org/issues/261
>
> But so far no lucks...
>
> The fact that it works on Mac OS X, Android (split tunneling + split dns)
> make me think that the issue is on iOS client.
>
> When connection, I saw this log
>
> ```
> 04[IKE] peer requested virtual IP %any
> 04[CFG] assigning new lease to 'vinh'
> 04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'
> 04[IKE] peer requested virtual IP %any6
> 04[IKE] no virtual IP found for %any6 requested by 'vinh'
> 04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o
> and TS 192.168.44.0/24 === 192.168.40.1/32
> 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC
> U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) ]
> 04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)
> ```
>
> That makes me think strongswan does push instruction to set DNS.
>
> Has anyone ever got Split DNS work on iOS? If so, can you let me reference
> your configuration.
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>



-- 
"Over vidden flyger renen;
efter den i vind og væde! -
Bedre det, end bryde stenen
op af fattig jord dernede!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151015/142e6b66/attachment.html>

More information about the Users mailing list