[strongSwan] can't set dns on customers side

Volodymyr Litovka doka at funlab.cc
Thu Mar 11 12:20:47 CET 2021 

Hi,

I pass DNS using 'attr' module:

$ cat /etc/strongswan.d/charon/attr.conf
# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {

     # <attr> is an attribute name or an integer, values can be an IP address,
     # subnet or arbitrary value.
     # <attr> =
	dns = 100.100.0.1

     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
	load = yes

}

On 11.03.2021 13:08, Gregory Edigarov wrote:
> Hello,
>   
> strongSwan 5.6.2 on both sides.
>
> server side config:
>
> conn ikev2-vpn
>      auto=add
>      compress=no
>      type=tunnel
>      keyexchange=ikev2
>      ike=aes256-sha1-modp1024
>      esp=aes256-sha1
>      fragmentation=yes
>      forceencaps=yes
>      dpdaction=clear
>      dpddelay=300s
>      rekey=no
>      left=%any
>      leftid=@example.my.domain
>      leftauth=pubkey
>      leftcert=certificate.pem
>      leftsendcert=always
>      leftsubnet=0.0.0.0/0
>      leftfirewall=yes
>      right=%any
>      rightid=%any
>      rightauth=eap-radius
>      rightsourceip=10.255.255.0/24
>      rightsendcert=never
>      rightdns=192.168.12.2,192.168.21.2,192.168.111.2
>      eap_identity=%identity
>
>
>
> client side config:
>
> conn ike-test
>       auto=start
>       fragmentation=yes
>       keyexchange=ikev2
>       right=example.my.domain
>       rightid=@example.my.domain
>       rightauth=pubkey
>       rightsubnet=0.0.0.0/0
>       leftsourceip=%config
>       leftid=username
>       leftauth=eap-mschapv2
>       eap_identity=%identity
>
>
> connection got setup ok, but no dns is installed on client's side. also
> tried with  windows client, with same result
>
> is it radius overriding rightdns setting?  i do not put anything but
> authentication into radius yet. may it be the  reason?
>
> thank you
> --
> With best regards,
>           Gregory Edigarov
>
-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210311/f48ab795/attachment.html>

More information about the Users mailing list