[strongSwan] Spliting DNS, assign DNS with iphone on either ikev1/ikev2 fail
Roger Skjetlein
rskjetlein at netrunner.nu
Thu Oct 15 20:11:48 CEST 2015
The fix is to use a configuration profile containing the ikev2 settings and
some extra for the dns. I can confirm that this works and allows for split
dns.
Example for test2.com and test3.com
<key>DNS</key>
<dict>
<key>ServerAddresses</key>
<array>
<string>1.1.1.1</string>
<string>2.2.2.2</string>
</array>
<key>SearchDomains</key>
<array>
<string>test2.com</string>
<string>test3.com</string>
</array>
<key>SupplementalMatchDomains</key>
<array>
<string>test2.com</string>
<string>test3.com</string>
</array>
</dict>
On Thu, Oct 15, 2015 at 8:06 PM, Roger Skjetlein <rskjetlein at netrunner.nu>
wrote:
> I see that the dns payload is received by the client (os x 10.11) and
> installed, but not in way that allows the client to actually use the dns
> servers.
>
> Only the dns received via dhcp through wifi are used.
>
> rogers-mbp:~ roger$ scutil --dns
> DNS configuration
>
> resolver #1
> search domain[0] : s******n
> nameserver[0] : 10.0.10.100
> if_index : 4 (en0)
> flags : Request A records
> Reachable
>
> resolver #2
> domain : local
> options : mdns
> timeout : 5
> flags : Request A records
> Not Reachable
> order : 300000
> .
> .
> .
> DNS configuration (for scoped queries)
>
> resolver #1
> search domain[0] : s****n
> nameserver[0] : 10.0.10.100
> if_index : 4 (en0)
> flags : Scoped, Request A records
> Reachable
>
> resolver #2
> nameserver[0] : x.x.x.x
> nameserver[1] : x.x.x.x
> if_index : 10 (ipsec0)
> flags : Scoped, Request A records
> Reachable, Transient Connection, Connection Required, Automatic Connection
> On Demand
>
>
> On Thu, Oct 15, 2015 at 6:45 PM, Марк Коренберг <socketpair at gmail.com>
> wrote:
>
>> I experience the same problem. Moreover, even just rightdns=... does not
>> work. Not even talking about splitdns...
>>
>> Also, it seems that splitdns (as cisco unity extension) works only with
>> ikev1. I have no proof for that.
>>
>> 2015-10-15 17:42 GMT+05:00 Roger Skjetlein <rskjetlein at netrunner.nu>:
>>
>>> I'm connecting both ios 9 and osx 10.11 and experience the same problem.
>>>
>>> The dns settings are pushed to the client and can be viewed by running
>>> 'scutil --dns'. However, the clients never uses the dns server assigned and
>>> i even have the same problem when manually configuring dns servers in the
>>> ikev2 vpn settings on client.
>>>
>>>
>>>
>>> On Fri, Oct 2, 2015 at 12:22 AM, Vinh Nguyen <vinh at noty.im> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm having a hard time to configured split DNS for ios. The
>>>> configuration works for all client, mac osx built-in client using ikev1,
>>>> and Android works too.
>>>>
>>>> On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because
>>>> I can see strongswan is pushing DNS from the log.
>>>>
>>>> Split tunneling does work. I can use private IP totally fine. But it's
>>>> just that the iphone client doesn't set the VPN correctly.
>>>>
>>>> I have this configuration in ipsec.conf
>>>>
>>>> config setup
>>>> # strictcrlpolicy=yes
>>>> # uniqueids = no
>>>> cachecrls=yes
>>>> uniqueids=yes
>>>>
>>>> plutostart=yes
>>>> nat_traversal=yes
>>>>
>>>> # Debug remove later
>>>> charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"
>>>>
>>>> conn ikev1
>>>> dpdaction=clear
>>>> dpddelay=15s
>>>> dpdtimeout=45s
>>>> keyexchange=ikev1
>>>> #This is for authenticaton in ipsec.secret
>>>> #authby=xauthpsk
>>>> #xauth=server
>>>> left=%defaultroute
>>>> #We want split tunneling
>>>> #leftsubnet=0.0.0.0/0
>>>> leftsubnet=192.168.44.1/24
>>>> leftfirewall=yes
>>>> right=%any
>>>> #rightsubnet=192.168.44.0/24
>>>> rightsourceip=192.168.40.0/24
>>>> #We push DNS for split DNS via charon attr plugin
>>>> rightdns=x.x.x.x
>>>> auto=add
>>>> forceencaps=yes
>>>> # We are using xatuh-pam for two factor authentication
>>>> leftauth=psk
>>>> rightauth=psk
>>>> rightauth2=xauth-pam
>>>> #Make a connection valid for maximun 4hour
>>>> lifetime=4h
>>>>
>>>> conn iosikev2
>>>> dpdaction=clear
>>>> dpddelay=15s
>>>> dpdtimeout=45s
>>>> keyexchange=ikev2
>>>> #This is for authenticaton in ipsec.secret
>>>> #authby=xauthpsk
>>>> #xauth=server
>>>> left=%defaultroute
>>>> #We want split tunneling
>>>> #leftsubnet=0.0.0.0/0
>>>> leftsubnet=192.168.44.1/24
>>>> leftfirewall=yes
>>>> leftid=x.x.x.x
>>>> esp=aes128-sha1,3des-sha1,3des-sha2_256
>>>>
>>>>
>>>> right=%any
>>>> #rightsubnet=192.168.44.0/24
>>>> rightsourceip=192.168.40.0/24
>>>> #We push DNS for split DNS via charon attr plugin
>>>> rightdns=192.168.44.1
>>>> auto=add
>>>> forceencaps=yes
>>>> # We are using xatuh-pam for two factor authentication
>>>> leftauth=psk
>>>> # rightauth = secret works
>>>> rightauth=secret
>>>> #rightauth=xauth
>>>>
>>>> #rightauth=eap-gtc
>>>> #rightauth2=xauth-pam
>>>> #Make a connection valid for maximun 4hour
>>>> lifetime=4h
>>>> rekey=no
>>>> ikelifetime=10800s
>>>> rekeyfuzz=100%
>>>> pfs=no
>>>>
>>>> And charon attr
>>>>
>>>> attr {
>>>>
>>>> # <attr> is an attribute name or an integer, values can be an IP
>>>> address,
>>>> # subnet or arbitrary value.
>>>> # <attr> =
>>>>
>>>> # Whether to load the plugin. Can also be an integer to increase the
>>>> # priority of this plugin.
>>>> load = yes
>>>> split-include=192.168.44.0/24
>>>> split-exclude=0.0.0.0/0
>>>>
>>>> 28672 = "Connected to VPN"
>>>> 28675 = domain_prefix
>>>>
>>>> dns = x.x.x.x,x.x.x.x
>>>> }
>>>>
>>>>
>>>> ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 =
>>>> "Connected to VPN"` worked too, because after connecting sucesfully, I saw
>>>> the message. However the DNS of `28675` isn't working.
>>>>
>>>>
>>>>
>>>> I tried to tweak lots of setting from those page. Tried to use both of
>>>> ikev1 and ikev2.
>>>>
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers
>>>>
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers
>>>> https://wiki.strongswan.org/issues/317
>>>> https://wiki.strongswan.org/issues/261
>>>>
>>>> But so far no lucks...
>>>>
>>>> The fact that it works on Mac OS X, Android (split tunneling + split
>>>> dns) make me think that the issue is on iOS client.
>>>>
>>>> When connection, I saw this log
>>>>
>>>> ```
>>>> 04[IKE] peer requested virtual IP %any
>>>> 04[CFG] assigning new lease to 'vinh'
>>>> 04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'
>>>> 04[IKE] peer requested virtual IP %any6
>>>> 04[IKE] no virtual IP found for %any6 requested by 'vinh'
>>>> 04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i
>>>> 081b56a2_o and TS 192.168.44.0/24 === 192.168.40.1/32
>>>> 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC
>>>> U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP)
>>>> N(ADD_4_ADDR) ]
>>>> 04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)
>>>> ```
>>>>
>>>> That makes me think strongswan does push instruction to set DNS.
>>>>
>>>> Has anyone ever got Split DNS work on iOS? If so, can you let me
>>>> reference your configuration.
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>>
>>>
>>> --
>>> "Over vidden flyger renen;
>>> efter den i vind og væde! -
>>> Bedre det, end bryde stenen
>>> op af fattig jord dernede!"
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> Segmentation fault
>>
>
>
>
> --
> "Over vidden flyger renen;
> efter den i vind og væde! -
> Bedre det, end bryde stenen
> op af fattig jord dernede!"
>
--
"Over vidden flyger renen;
efter den i vind og væde! -
Bedre det, end bryde stenen
op af fattig jord dernede!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151015/eb5de047/attachment.html>
More information about the Users
mailing list