[strongSwan] Spliting DNS, assign DNS with iphone on either ikev1/ikev2 fail

Thu Oct 15 20:06:23 CEST 2015

I see that the dns payload is received by the client (os x 10.11) and
installed, but not in way that allows the client to actually use the dns
servers.

Only the dns received via dhcp through wifi are used.

rogers-mbp:~ roger$ scutil --dns
DNS configuration

resolver #1
  search domain[0] : s******n
  nameserver[0] : 10.0.10.100
  if_index : 4 (en0)
  flags    : Request A records
Reachable

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
Not Reachable
  order    : 300000
.
.
.
DNS configuration (for scoped queries)

resolver #1
  search domain[0] : s****n
  nameserver[0] : 10.0.10.100
  if_index : 4 (en0)
  flags    : Scoped, Request A records
Reachable

resolver #2
  nameserver[0] : x.x.x.x
  nameserver[1] : x.x.x.x
  if_index : 10 (ipsec0)
  flags    : Scoped, Request A records
Reachable, Transient Connection, Connection Required, Automatic Connection
On Demand

On Thu, Oct 15, 2015 at 6:45 PM, Марк Коренберг <socketpair at gmail.com>
wrote:

> I experience the same problem. Moreover, even just rightdns=... does not
> work. Not even talking about splitdns...
>
> Also, it seems that splitdns (as cisco unity extension) works only with
> ikev1. I have no proof for that.
>
> 2015-10-15 17:42 GMT+05:00 Roger Skjetlein <rskjetlein at netrunner.nu>:
>
>> I'm connecting both ios 9 and osx 10.11 and experience the same problem.
>>
>> The dns settings are pushed to the client and can be viewed by running
>> 'scutil --dns'. However, the clients never uses the dns server assigned and
>> i even have the same problem when manually configuring dns servers in the
>> ikev2 vpn settings on client.
>>
>>
>>
>> On Fri, Oct 2, 2015 at 12:22 AM, Vinh Nguyen <vinh at noty.im> wrote:
>>
>>> Hi all,
>>>
>>> I'm having a hard time to configured split DNS for ios. The
>>> configuration works for all client, mac osx built-in client using ikev1,
>>> and Android works too.
>>>
>>> On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I
>>> can see strongswan is pushing DNS from the log.
>>>
>>> Split tunneling does work. I can use private IP totally fine. But it's
>>> just that the iphone client doesn't set the VPN correctly.
>>>
>>> I have this configuration in ipsec.conf
>>>
>>> config setup
>>>   # strictcrlpolicy=yes
>>>   # uniqueids = no
>>>     cachecrls=yes
>>>     uniqueids=yes
>>>
>>>     plutostart=yes
>>>     nat_traversal=yes
>>>
>>>     # Debug remove later
>>>     charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"
>>>
>>> conn ikev1
>>>     dpdaction=clear
>>>     dpddelay=15s
>>>     dpdtimeout=45s
>>>     keyexchange=ikev1
>>>     #This is for authenticaton in ipsec.secret
>>>     #authby=xauthpsk
>>>     #xauth=server
>>>     left=%defaultroute
>>>     #We want split tunneling
>>>     #leftsubnet=0.0.0.0/0
>>>     leftsubnet=192.168.44.1/24
>>>     leftfirewall=yes
>>>     right=%any
>>>     #rightsubnet=192.168.44.0/24
>>>     rightsourceip=192.168.40.0/24
>>>     #We push DNS for split DNS via charon attr plugin
>>>     rightdns=x.x.x.x
>>>     auto=add
>>>     forceencaps=yes
>>>     # We are using xatuh-pam for two factor authentication
>>>     leftauth=psk
>>>     rightauth=psk
>>>     rightauth2=xauth-pam
>>>     #Make a connection valid for maximun 4hour
>>>     lifetime=4h
>>>
>>> conn iosikev2
>>>     dpdaction=clear
>>>     dpddelay=15s
>>>     dpdtimeout=45s
>>>     keyexchange=ikev2
>>>     #This is for authenticaton in ipsec.secret
>>>     #authby=xauthpsk
>>>     #xauth=server
>>>     left=%defaultroute
>>>     #We want split tunneling
>>>     #leftsubnet=0.0.0.0/0
>>>     leftsubnet=192.168.44.1/24
>>>     leftfirewall=yes
>>>     leftid=x.x.x.x
>>>     esp=aes128-sha1,3des-sha1,3des-sha2_256
>>>
>>>
>>>     right=%any
>>>     #rightsubnet=192.168.44.0/24
>>>     rightsourceip=192.168.40.0/24
>>>     #We push DNS for split DNS via charon attr plugin
>>>     rightdns=192.168.44.1
>>>     auto=add
>>>     forceencaps=yes
>>>     # We are using xatuh-pam for two factor authentication
>>>     leftauth=psk
>>>     # rightauth = secret works
>>>     rightauth=secret
>>>     #rightauth=xauth
>>>
>>>     #rightauth=eap-gtc
>>>     #rightauth2=xauth-pam
>>>     #Make a connection valid for maximun 4hour
>>>     lifetime=4h
>>>     rekey=no
>>>     ikelifetime=10800s
>>>     rekeyfuzz=100%
>>>     pfs=no
>>>
>>> And charon attr
>>>
>>> attr {
>>>
>>>     # <attr> is an attribute name or an integer, values can be an IP
>>> address,
>>>     # subnet or arbitrary value.
>>>     # <attr> =
>>>
>>>     # Whether to load the plugin. Can also be an integer to increase the
>>>     # priority of this plugin.
>>>     load = yes
>>>     split-include=192.168.44.0/24
>>>     split-exclude=0.0.0.0/0
>>>
>>>     28672 = "Connected to VPN"
>>>     28675 = domain_prefix
>>>
>>>     dns = x.x.x.x,x.x.x.x
>>> }
>>>
>>>
>>> ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 =
>>> "Connected to VPN"` worked too, because after connecting sucesfully, I saw
>>> the message. However the DNS of `28675` isn't working.
>>>
>>>
>>>
>>> I tried to tweak lots of setting from those page. Tried to use both of
>>> ikev1 and ikev2.
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers
>>> https://wiki.strongswan.org/issues/317
>>> https://wiki.strongswan.org/issues/261
>>>
>>> But so far no lucks...
>>>
>>> The fact that it works on Mac OS X, Android (split tunneling + split
>>> dns) make me think that the issue is on iOS client.
>>>
>>> When connection, I saw this log
>>>
>>> ```
>>> 04[IKE] peer requested virtual IP %any
>>> 04[CFG] assigning new lease to 'vinh'
>>> 04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'
>>> 04[IKE] peer requested virtual IP %any6
>>> 04[IKE] no virtual IP found for %any6 requested by 'vinh'
>>> 04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o
>>> and TS 192.168.44.0/24 === 192.168.40.1/32
>>> 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC
>>> U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP)
>>> N(ADD_4_ADDR) ]
>>> 04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)
>>> ```
>>>
>>> That makes me think strongswan does push instruction to set DNS.
>>>
>>> Has anyone ever got Split DNS work on iOS? If so, can you let me
>>> reference your configuration.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> "Over vidden flyger renen;
>> efter den i vind og væde! -
>> Bedre det, end bryde stenen
>> op af fattig jord dernede!"
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> --
> Segmentation fault
>

-- 
"Over vidden flyger renen;
efter den i vind og væde! -
Bedre det, end bryde stenen
op af fattig jord dernede!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151015/9a24bc7e/attachment-0001.html>