[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

Harald Dunkel harald.dunkel at aixigo.com
Mon Jul 1 09:02:47 CEST 2019 

Hi folks,

using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?

My attr.conf on the IPsec gateway says

attr {
     dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
     nbns = 10.0.98.253
     28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com
     28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com
     load = yes

}

AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain. syslog on my laptop tells me

Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.5404] audit: op="connection-activate" uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 result="success"
Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.5435] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Saw the service appear; activating connection
Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.5633] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (ConnectInteractive) reply received
Jul  1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager connection ipsecgate IKEv2
Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.6125] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: starting (3)
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7119] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: VPN Gateway: 5.145.142.209
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Tunnel Device: (null)
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: IPv4 configuration:
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Internal Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Internal Prefix: 32
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Internal Point-to-Point Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Maximum Segment Size (MSS): 0
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Forbid Default Route: yes
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Internal DNS: 10.0.122.9
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Internal DNS: 10.0.96.123
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Internal DNS: 10.0.96.124
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   Internal DNS: 127.0.0.1
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data:   DNS Domain: '(none)'
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: No IPv6 configuration
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP Config Get) complete
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: started (4)
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7225] dns-mgr: Writing DNS information to /sbin/resolvconf

Of course the documentation states: "Cisco Unity extensions for IKEv1"
but I don't see any reason why this shouldn't work for IKEv2 as well
(except for not being listed in some document).

strongswan is version 5.7.2 on both peers. strongswan network manager
plugin is version 1.4.4.


Every insightful comment is highly appreciated

Harri

More information about the Users mailing list