[strongSwan] Spliting DNS, assign DNS with iphone on either ikev1/ikev2 fail

Vinh Nguyen vinh at noty.im
Thu Oct 15 23:17:54 CEST 2015


Thanks you Roger. Let's me try. Split DNS work will be great.

Also do you affect the one hour disconnect issue with IPSEC Ikev1 on Mac OSX?

Basically around 45-60 minutes the Mac OS X client re-authenticate again and event if I enter correct password, the connection still interrupt after that?

I found out some tutorial (http://apple.stackexchange.com/questions/14780/vpn-connection-in-osx-fails-after-a-certain-amount-of-reconnects <http://apple.stackexchange.com/questions/14780/vpn-connection-in-osx-fails-after-a-certain-amount-of-reconnects>) to manually edit config file and change one hour lifetime of racoon configuration.

I'm experiencing it and don't have a solution. Were you able to solve that problem?

Thanks.

Vinh

vinh at noty.im

> On Oct 15, 2015, at 11:11 AM, Roger Skjetlein <rskjetlein at netrunner.nu> wrote:
> 
> The fix is to use a configuration profile containing the ikev2 settings and some extra for the dns. I can confirm that this works and allows for split dns.
> 
> Example for test2.com <http://test2.com/> and test3.com <http://test3.com/>
> 
>                         <key>DNS</key>
>                         <dict>
>                                 <key>ServerAddresses</key>
>                                 <array>
>                                         <string>1.1.1.1</string>
>                                         <string>2.2.2.2</string>
>                                 </array>
>                                 <key>SearchDomains</key>
>                                 <array>
>                                         <string>test2.com <http://test2.com/></string>
>                                         <string>test3.com <http://test3.com/></string>
>                                 </array>
>                                 <key>SupplementalMatchDomains</key>
>                                 <array>
>                                         <string>test2.com <http://test2.com/></string>
>                                         <string>test3.com <http://test3.com/></string>
>                                 </array>
>                         </dict>
> 
> On Thu, Oct 15, 2015 at 8:06 PM, Roger Skjetlein <rskjetlein at netrunner.nu <mailto:rskjetlein at netrunner.nu>> wrote:
> I see that the dns payload is received by the client (os x 10.11) and installed, but not in way that allows the client to actually use the dns servers.
> 
> Only the dns received via dhcp through wifi are used.
> 
> rogers-mbp:~ roger$ scutil --dns
> DNS configuration
> 
> resolver #1
>   search domain[0] : s******n
>   nameserver[0] : 10.0.10.100
>   if_index : 4 (en0)
>   flags    : Request A records
> Reachable
> 
> resolver #2
>   domain   : local
>   options  : mdns
>   timeout  : 5
>   flags    : Request A records
> Not Reachable
>   order    : 300000
> .
> .
> .
> DNS configuration (for scoped queries)
> 
> resolver #1
>   search domain[0] : s****n
>   nameserver[0] : 10.0.10.100
>   if_index : 4 (en0)
>   flags    : Scoped, Request A records
> Reachable
> 
> resolver #2
>   nameserver[0] : x.x.x.x
>   nameserver[1] : x.x.x.x
>   if_index : 10 (ipsec0)
>   flags    : Scoped, Request A records
> Reachable, Transient Connection, Connection Required, Automatic Connection On Demand
> 
> 
> On Thu, Oct 15, 2015 at 6:45 PM, Марк Коренберг <socketpair at gmail.com <mailto:socketpair at gmail.com>> wrote:
> I experience the same problem. Moreover, even just rightdns=... does not work. Not even talking about splitdns...
> 
> Also, it seems that splitdns (as cisco unity extension) works only with ikev1. I have no proof for that.
> 
> 2015-10-15 17:42 GMT+05:00 Roger Skjetlein <rskjetlein at netrunner.nu <mailto:rskjetlein at netrunner.nu>>:
> I'm connecting both ios 9 and osx 10.11 and experience the same problem.
> 
> The dns settings are pushed to the client and can be viewed by running 'scutil --dns'. However, the clients never uses the dns server assigned and i even have the same problem when manually configuring dns servers in the ikev2 vpn settings on client.
> 
> 
> 
> On Fri, Oct 2, 2015 at 12:22 AM, Vinh Nguyen <vinh at noty.im <mailto:vinh at noty.im>> wrote:
> Hi all,
> 
> I'm having a hard time to configured split DNS for ios. The configuration works for all client, mac osx built-in client using ikev1, and Android works too.
> 
> On iOS 9.02, it seems like ios vpn client doesn't set the DNS, because I can see strongswan is pushing DNS from the log.
> 
> Split tunneling does work. I can use private IP totally fine. But it's just that the iphone client doesn't set the VPN correctly.
> 
> I have this configuration in ipsec.conf
> 
> config setup
>   # strictcrlpolicy=yes
>   # uniqueids = no
>     cachecrls=yes
>     uniqueids=yes
> 
>     plutostart=yes
>     nat_traversal=yes
> 
>     # Debug remove later
>     charondebug="ike 4, knl 4, cfg 4, enc 4, esp 4,chd 4"
> 
> conn ikev1
>     dpdaction=clear
>     dpddelay=15s
>     dpdtimeout=45s
>     keyexchange=ikev1
>     #This is for authenticaton in ipsec.secret
>     #authby=xauthpsk
>     #xauth=server
>     left=%defaultroute
>     #We want split tunneling
>     #leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>     leftsubnet=192.168.44.1/24 <http://192.168.44.1/24>
>     leftfirewall=yes
>     right=%any
>     #rightsubnet=192.168.44.0/24 <http://192.168.44.0/24>
>     rightsourceip=192.168.40.0/24 <http://192.168.40.0/24>
>     #We push DNS for split DNS via charon attr plugin
>     rightdns=x.x.x.x
>     auto=add
>     forceencaps=yes
>     # We are using xatuh-pam for two factor authentication
>     leftauth=psk
>     rightauth=psk
>     rightauth2=xauth-pam
>     #Make a connection valid for maximun 4hour
>     lifetime=4h
> 
> conn iosikev2
>     dpdaction=clear
>     dpddelay=15s
>     dpdtimeout=45s
>     keyexchange=ikev2
>     #This is for authenticaton in ipsec.secret
>     #authby=xauthpsk
>     #xauth=server
>     left=%defaultroute
>     #We want split tunneling
>     #leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>     leftsubnet=192.168.44.1/24 <http://192.168.44.1/24>
>     leftfirewall=yes
>     leftid=x.x.x.x
>     esp=aes128-sha1,3des-sha1,3des-sha2_256
> 
> 
>     right=%any
>     #rightsubnet=192.168.44.0/24 <http://192.168.44.0/24>
>     rightsourceip=192.168.40.0/24 <http://192.168.40.0/24>
>     #We push DNS for split DNS via charon attr plugin
>     rightdns=192.168.44.1
>     auto=add
>     forceencaps=yes
>     # We are using xatuh-pam for two factor authentication
>     leftauth=psk
>     # rightauth = secret works
>     rightauth=secret
>     #rightauth=xauth
> 
>     #rightauth=eap-gtc
>     #rightauth2=xauth-pam
>     #Make a connection valid for maximun 4hour
>     lifetime=4h
>     rekey=no
>     ikelifetime=10800s
>     rekeyfuzz=100%
>     pfs=no
> 
> And charon attr
> 
> attr {
> 
>     # <attr> is an attribute name or an integer, values can be an IP address,
>     # subnet or arbitrary value.
>     # <attr> =
> 
>     # Whether to load the plugin. Can also be an integer to increase the
>     # priority of this plugin.
>     load = yes
>     split-include=192.168.44.0/24 <http://192.168.44.0/24>
>     split-exclude=0.0.0.0/0 <http://0.0.0.0/0>
> 
>     28672 = "Connected to VPN"
>     28675 = domain_prefix
> 
>     dns = x.x.x.x,x.x.x.x
> }
> 
> 
> ikev1 works great on Mac OSX and Android. on iOS9, with ikev1 `28672 = "Connected to VPN"` worked too, because after connecting sucesfully, I saw the message. However the DNS of `28675` isn't working.
> 
> 
> 
> I tried to tweak lots of setting from those page. Tried to use both of ikev1 and ikev2.
> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers <https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/47#Assignment-of-internal-DNS-servers>
> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers <https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#DNS-servers>
> https://wiki.strongswan.org/issues/317 <https://wiki.strongswan.org/issues/317>
> https://wiki.strongswan.org/issues/261 <https://wiki.strongswan.org/issues/261>
> 
> But so far no lucks...
> 
> The fact that it works on Mac OS X, Android (split tunneling + split dns) make me think that the issue is on iOS client.
> 
> When connection, I saw this log
> 
> ```
> 04[IKE] peer requested virtual IP %any
> 04[CFG] assigning new lease to 'vinh'
> 04[IKE] assigning virtual IP 192.168.40.1 to peer 'vinh'
> 04[IKE] peer requested virtual IP %any6
> 04[IKE] no virtual IP found for %any6 requested by 'vinh'
> 04[IKE] CHILD_SA iosikev2{1} established with SPIs c2ba0ada_i 081b56a2_o and TS 192.168.44.0/24 <http://192.168.44.0/24> === 192.168.40.1/32 <http://192.168.40.1/32>
> 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_SPLITINC U_LOCALLAN U_BANNER U_SPLITDNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
> 04[NET] sending packet: from xxxx[4500] to xxxx[4500] (352 bytes)
> ```
> 
> That makes me think strongswan does push instruction to set DNS.
> 
> Has anyone ever got Split DNS work on iOS? If so, can you let me reference your configuration.
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
> 
> 
> 
> --
> "Over vidden flyger renen;
> efter den i vind og væde! -
> Bedre det, end bryde stenen
> op af fattig jord dernede!"
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
> 
> 
> 
> --
> Segmentation fault
> 
> 
> 
> --
> "Over vidden flyger renen;
> efter den i vind og væde! -
> Bedre det, end bryde stenen
> op af fattig jord dernede!"
> 
> 
> 
> --
> "Over vidden flyger renen;
> efter den i vind og væde! -
> Bedre det, end bryde stenen
> op af fattig jord dernede!"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151015/7cafe96f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151015/7cafe96f/attachment-0001.pgp>


More information about the Users mailing list