strongswan can't push DNS resolver to OSX Mountain Lion (split tunnel)

domain-name-system mac-osx ipsec strongswan split-tunneling

7,535

A couple of comments on your config:

The subnet you configured for split-exclude is invalid. It should probably be
```
split-exclude = 10.65.36.0/22
```
If you use the unity plugin you should configure
```
leftsubnet=10.0.0.0/8, 172.16.0.23/32
```
instead of split-include in strongswan.conf. This allows assigning different subnets per connection.
Likewise, DNS servers may be assigned per connection via the rightdns option.

Regarding your main question, Mac OS X installs DNS servers unscoped only if all traffic is sent via VPN, that is, if leftsubnet=0.0.0.0/0 is configured and the client does not receive any UNITY_SPLIT_INCLUDE attributes.

In order to properly resolve host names at your remote site, I suggest you send the proper search domain to the client via a UNITY_DEF_DOMAIN attribute, for instance:

charon {
    plugins {
        attr {
            28674 = strongswan.org
        }
    }
}

This attribute only takes a single domain name. If multiple domains are required the UNITY_SPLITDNS_NAME attribute can be used:

charon {
    plugins {
        attr {
            28675 = strongswan.org hsr.ch
        }
    }
}

It takes a space-separated list of domain names that is sent to the client as is (results in a resolver for each domain on the client).

7,535

Pierre Carrier

Updated on September 18, 2022

Comments

Pierre Carrier almost 2 years
I'd like to set up an IPSec responder (VPN server) for OSX desktops and laptops.

Everything seems to work fine, except I cannot push a DNS server to be used system-wide on the initiator (VPN client).

I'm using Charon's IKEv1 support in StrongSwan 5.0.4, with Unity extensions, and OSX machines are configured graphically using "Cisco VPN" in Network Preferences.

I did try to change the service order on the client to put the VPN at the top, but that didn't help.

In scutils --dns, the resolver only appears as resolver #1 in the DNS configuration (for scoped queries) section, not in the first section DNS configuration.

Here are the relevant config files:

/etc/ipsec.conf:
```
conn %default
  ikelifetime=24h
  keylife=1h
  rekeymargin=10m
  keyingtries=3
  keyexchange=ikev1
  left=%defaultroute
  auto=add

conn main
  leftfirewall=yes
  leftsubnet=0.0.0.0/0
  leftauth=psk
  right=%any
  rightauth=psk
  rightauth2=xauth-pam
  rightsourceip=172.17.0.0/22
```
/etc/strongswan.conf:
```
charon {
  threads = 16
  cisco_unity = yes
  plugins {
    attr {
      dns = 172.16.0.23
      split-include = 10.0.0.0/8, 172.16.0.23/32
      split-exclude = 10.65.36/22
    }
    xauth-pam {
      pam_service = ipsec
    }
  }
}
```
Pierre Carrier almost 11 years

Brilliant. Would UNITY_DEF_DOMAIN support multiple domains?
ecdsa almost 11 years

In strongswan.conf you could configure more than one domain in a comma-separted list. But the Mac OS X client currently ignores all but the first.
ecdsa almost 11 years

Well, using UNITY_SPLITDNS_NAME it is actually possible to send multiple domains. I updated the answer.