[strongSwan] can't set dns on customers side

Gregory Edigarov edigarov at qarea.com
Thu Mar 11 12:43:07 CET 2021 

    hmm this doesn't seem to be working

On 3/11/21 1:20 PM, Volodymyr Litovka wrote:
>
> Hi,
>
> I pass DNS using 'attr' module:
>
> $ cat /etc/strongswan.d/charon/attr.conf
> # Section to specify arbitrary attributes that are assigned to a peer via
> # configuration payload (CP).
> attr {
>
>     # <attr> is an attribute name or an integer, values can be an IP address,
>     # subnet or arbitrary value.
>     # <attr> =
> 	dns = 100.100.0.1
>
>     # Whether to load the plugin. Can also be an integer to increase the
>     # priority of this plugin.
> 	load = yes
>
> }
> On 11.03.2021 13:08, Gregory Edigarov wrote:
>> Hello,
>>  
>> strongSwan 5.6.2 on both sides.
>>
>> server side config:
>>
>> conn ikev2-vpn
>>     auto=add
>>     compress=no
>>     type=tunnel
>>     keyexchange=ikev2
>>     ike=aes256-sha1-modp1024
>>     esp=aes256-sha1
>>     fragmentation=yes
>>     forceencaps=yes
>>     dpdaction=clear
>>     dpddelay=300s
>>     rekey=no
>>     left=%any
>>     leftid=@example.my.domain
>>     leftauth=pubkey
>>     leftcert=certificate.pem
>>     leftsendcert=always
>>     leftsubnet=0.0.0.0/0
>>     leftfirewall=yes
>>     right=%any
>>     rightid=%any
>>     rightauth=eap-radius
>>     rightsourceip=10.255.255.0/24
>>     rightsendcert=never
>>     rightdns=192.168.12.2,192.168.21.2,192.168.111.2
>>     eap_identity=%identity
>>
>>
>>
>> client side config:
>>
>> conn ike-test
>>      auto=start
>>      fragmentation=yes
>>      keyexchange=ikev2
>>      right=example.my.domain
>>      rightid=@example.my.domain
>>      rightauth=pubkey
>>      rightsubnet=0.0.0.0/0
>>      leftsourceip=%config
>>      leftid=username
>>      leftauth=eap-mschapv2
>>      eap_identity=%identity
>>
>>
>> connection got setup ok, but no dns is installed on client's side. also
>> tried with  windows client, with same result
>>
>> is it radius overriding rightdns setting?  i do not put anything but
>> authentication into radius yet. may it be the  reason?
>>
>> thank you
>> --
>> With best regards,
>>          Gregory Edigarov  
>>
> -- 
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210311/1f77efa2/attachment.html>

More information about the Users mailing list