[strongSwan] IKEv2: how to set the DNS search attribute on the peer?
Harald Dunkel
harald.dunkel at aixigo.com
Mon Jul 1 09:44:23 CEST 2019
Hi folks,
using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?
My attr.conf on the IPsec gateway says
attr {
dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
nbns = 10.0.98.253
28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com
28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com
load = yes
}
AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain. syslog on my laptop tells me
Jul 1 08:25:19 ppcl001 NetworkManager[992]: <info> [1561962319.5404] audit: op="connection-activate" uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 result="success"
Jul 1 08:25:19 ppcl001 NetworkManager[992]: <info> [1561962319.5435] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Saw the service appear; activating connection
Jul 1 08:25:19 ppcl001 NetworkManager[992]: <info> [1561962319.5633] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (ConnectInteractive) reply received
Jul 1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager connection ipsecgate IKEv2
Jul 1 08:25:19 ppcl001 NetworkManager[992]: <info> [1561962319.6125] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: starting (3)
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7119] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: VPN Gateway: 5.145.142.209
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Tunnel Device: (null)
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: IPv4 configuration:
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Address: 10.0.122.66
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Prefix: 32
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Point-to-Point Address: 10.0.122.66
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Maximum Segment Size (MSS): 0
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Forbid Default Route: yes
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.122.9
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.96.123
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.96.124
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 127.0.0.1
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: DNS Domain: '(none)'
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: No IPv6 configuration
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP Config Get) complete
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: started (4)
Jul 1 08:25:26 ppcl001 NetworkManager[992]: <info> [1561962326.7225] dns-mgr: Writing DNS information to /sbin/resolvconf
Of course the documentation states: "Cisco Unity extensions for IKEv1"
but I don't see any reason why this shouldn't work for IKEv2 as well
(except for not being listed in some document).
strongswan is version 5.7.2 on both peers. strongswan network manager
plugin is version 1.4.4.
Every insightful comment is highly appreciated
Harri
More information about the Users
mailing list