[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

Tobias Brunner tobias at strongswan.org
Mon Jul 1 10:41:02 CEST 2019


Hi Harald,

> using IKEv2 and NetworkManager I wonder how the DNS domain search
> attribute is supposed to be added to /etc/resolv.conf?

There is no such attribute for IKEv2.

> My attr.conf on the IPsec gateway says
> 
> attr {
>      dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
>      nbns = 10.0.98.253
>      28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com
>      28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com
>      load = yes
> 
> }

The (proprietary Cisco Unity) IKEv1 attributes you assigned have
different purposes.  The first sets the default search domain, the other
is for split-DNS.  For the latter there now actually is an RFC for IKEv2
(RFC 8598) but strongSwan currently doesn't support it.  Well, you can
assign the INTERNAL_DNS_DOMAIN attribute to clients using the same
numeric assignment (25 is the identifier), but no client plugin
currently requests or handles such attributes.  In particular, the NM
plugin currently has no support for such internal domains (no idea if
NM_VPN_PLUGIN_IP4/6_CONFIG_DOMAINS could be used for that, or if that
e.g. just sets multiple search domains).

> AFAICT NetworkManager would like to call resolvconf itself, but apparently
> it is missing the DNS domain.

Is a search domain actually required in your setup?  Because, as I said,
there is no standardized IKEv2 attribute for it at all.

> Of course the documentation states: "Cisco Unity extensions for IKEv1"
> but I don't see any reason why this shouldn't work for IKEv2 as well
> (except for not being listed in some document).

Why would configuration attributes for a proprietary IKEv1 extension,
with numbers from the private use range, work with IKEv2?  Granted,
since it's not possible to set an IKE version for custom attributes in
the attr plugin's configuration, it will just assign them as configured
to any client that requests a virtual IP.  But a client that handles
them would technically be non-compliant.  Anyway, strongSwan actually
doesn't handle these Unity attributes as client at all, not even for IKEv1.

Regards,
Tobias


More information about the Users mailing list