[strongSwan] Spliting DNS, assign DNS with iphone on either ikev1/ikev2 fail
Марк Коренберг
socketpair at gmail.com
Thu Oct 15 18:45:31 CEST 2015
I experience the same problem. Moreover, even just rightdns=... does not
work. Not even talking about splitdns...
Also, it seems that splitdns (as cisco unity extension) works only with
ikev1. I have no proof for that.
2015-10-15 17:42 GMT+05:00 Roger Skjetlein <rskjetlein at netrunner.nu>:
> I'm connecting both ios 9 and osx 10.11 and experience the same problem.
>
> The dns settings are pushed to the client and can be viewed by running
> 'scutil --dns'. However, the clients never uses the dns server assigned and
> i even have the same problem when manually configuring dns servers in the
> ikev2 vpn settings on client.
>
>
>
> On Fri, Oct 2, 2015 at 12:22 AM, Vinh Nguyen <vinh at noty.im> wrote:
>
>> Hi all,
>>
>> I'm having a hard time to configured split DNS for ios. The configuration
>> works for all client, mac osx built-in client using ikev1, and Android
>> works too.
>>
>> On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I
>> can see strongswan is pushing DNS from the log.
>>
>> Split tunneling does work. I can use private IP totally fine. But it's
>> just that the iphone client doesn't set the VPN correctly.
>>
>> I have this configuration in ipsec.conf
>>
>> config setup
>> # strictcrlpolicy=yes
>> # uniqueids = no
>> cachecrls=yes
>> uniqueids=yes
>>
>> plutostart=yes
>> nat_traversal=yes
>>
>> # Debug remove later
>> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"
>>
>> conn ikev1
>> dpdaction=clear
>> dpddelay=15s
>> dpdtimeout=45s
>> keyexchange=ikev1
>> #This is for authenticaton in ipsec.secret
>> #authby=xauthpsk
>> #xauth=server
>> left=%defaultroute
>> #We want split tunneling
>> #leftsubnet=0.0.0.0/0
>> leftsubnet=192.168.44.1/24
>> leftfirewall=yes
>> right=%any
>> #rightsubnet=192.168.44.0/24
>> rightsourceip=192.168.40.0/24
>> #We push DNS for split DNS via charon attr plugin
>> rightdns=x.x.x.x
>> auto=add
>> forceencaps=yes
>> # We are using xatuh-pam for two factor authentication
>> leftauth=psk
>> rightauth=psk
>> rightauth2=xauth-pam
>> #Make a connection valid for maximun 4hour
>> lifetime=4h
>>
>> conn iosikev2
>> dpdaction=clear
>> dpddelay=15s
>> dpdtimeout=45s
>> keyexchange=ikev2
>> #This is for authenticaton in ipsec.secret
>> #authby=xauthpsk
>> #xauth=server
>> left=%defaultroute
>> #We want split tunneling
>> #leftsubnet=0.0.0.0/0
>> leftsubnet=192.168.44.1/24
>> leftfirewall=yes
>> leftid=x.x.x.x
>> esp=aes128-sha1,3des-sha1,3des-sha2_256
>>
>>
>> right=%any
>> #rightsubnet=192.168.44.0/24
>> rightsourceip=192.168.40.0/24
>> #We push DNS for split DNS via charon attr plugin
>> rightdns=192.168.44.1
>> auto=add
>> forceencaps=yes
>> # We are using xatuh-pam for two factor authentication
>> leftauth=psk
>> # rightauth = secret works
>> rightauth=secret
>> #rightauth=xauth
>>
>> #rightauth=eap-gtc
>> #rightauth2=xauth-pam
>> #Make a connection valid for maximun 4hour
>> lifetime=4h
>> rekey=no
>> ikelifetime=10800s
>> rekeyfuzz=100%
>> pfs=no
>>
>> And charon attr
>>
>> attr {
>>
>> # <attr> is an attribute name or an integer, values can be an IP
>> address,
>> # subnet or arbitrary value.
>> # <attr> =
>>
>> # Whether to load the plugin. Can also be an integer to increase the
>> # priority of this plugin.
>> load = yes
>> split-include=192.168.44.0/24
>> split-exclude=0.0.0.0/0
>>
>> 28672 = "Connected to VPN"
>> 28675 = domain_prefix
>>
>> dns = x.x.x.x,x.x.x.x
>> }
>>
>>
>> ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 =
>> "Connected to VPN"` worked too, because after connecting sucesfully, I saw
>> the message. However the DNS of `28675` isn't working.
>>
>>
>>
>> I tried to tweak lots of setting from those page. Tried to use both of
>> ikev1 and ikev2.
>>
>> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers
>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers
>> https://wiki.strongswan.org/issues/317
>> https://wiki.strongswan.org/issues/261
>>
>> But so far no lucks...
>>
>> The fact that it works on Mac OS X, Android (split tunneling + split dns)
>> make me think that the issue is on iOS client.
>>
>> When connection, I saw this log
>>
>> ```
>> 04[IKE] peer requested virtual IP %any
>> 04[CFG] assigning new lease to 'vinh'
>> 04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'
>> 04[IKE] peer requested virtual IP %any6
>> 04[IKE] no virtual IP found for %any6 requested by 'vinh'
>> 04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o
>> and TS 192.168.44.0/24 === 192.168.40.1/32
>> 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC
>> U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP)
>> N(ADD_4_ADDR) ]
>> 04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)
>> ```
>>
>> That makes me think strongswan does push instruction to set DNS.
>>
>> Has anyone ever got Split DNS work on iOS? If so, can you let me
>> reference your configuration.
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> --
> "Over vidden flyger renen;
> efter den i vind og væde! -
> Bedre det, end bryde stenen
> op af fattig jord dernede!"
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
Segmentation fault
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151015/de71c4e8/attachment.html>
More information about the Users
mailing list