strongswan can't push DNS resolver to OSX Mountain Lion (split tunnel)
A couple of comments on your config:
-
The subnet you configured for
split-exclude
is invalid. It should probably besplit-exclude = 10.65.36.0/22
-
If you use the unity plugin you should configure
leftsubnet=10.0.0.0/8, 172.16.0.23/32
instead of
split-include
instrongswan.conf
. This allows assigning different subnets per connection. Likewise, DNS servers may be assigned per connection via the
rightdns
option.
Regarding your main question, Mac OS X installs DNS servers unscoped only if all traffic is sent via VPN, that is, if leftsubnet=0.0.0.0/0
is configured and the client does not receive any UNITY_SPLIT_INCLUDE
attributes.
In order to properly resolve host names at your remote site, I suggest you send the proper search domain to the client via a UNITY_DEF_DOMAIN
attribute, for instance:
charon {
plugins {
attr {
28674 = strongswan.org
}
}
}
This attribute only takes a single domain name. If multiple domains are required the UNITY_SPLITDNS_NAME
attribute can be used:
charon {
plugins {
attr {
28675 = strongswan.org hsr.ch
}
}
}
It takes a space-separated list of domain names that is sent to the client as is (results in a resolver for each domain on the client).
Related videos on Youtube
Pierre Carrier
Updated on September 18, 2022Comments
-
Pierre Carrier almost 2 years
I'd like to set up an IPSec responder (VPN server) for OSX desktops and laptops.
Everything seems to work fine, except I cannot push a DNS server to be used system-wide on the initiator (VPN client).
I'm using Charon's IKEv1 support in StrongSwan 5.0.4, with Unity extensions, and OSX machines are configured graphically using "Cisco VPN" in Network Preferences.
I did try to change the service order on the client to put the VPN at the top, but that didn't help.
In
scutils --dns
, the resolver only appears asresolver #1
in theDNS configuration (for scoped queries)
section, not in the first sectionDNS configuration
.Here are the relevant config files:
/etc/ipsec.conf:
conn %default ikelifetime=24h keylife=1h rekeymargin=10m keyingtries=3 keyexchange=ikev1 left=%defaultroute auto=add conn main leftfirewall=yes leftsubnet=0.0.0.0/0 leftauth=psk right=%any rightauth=psk rightauth2=xauth-pam rightsourceip=172.17.0.0/22
/etc/strongswan.conf:
charon { threads = 16 cisco_unity = yes plugins { attr { dns = 172.16.0.23 split-include = 10.0.0.0/8, 172.16.0.23/32 split-exclude = 10.65.36/22 } xauth-pam { pam_service = ipsec } } }
-
Pierre Carrier almost 11 yearsBrilliant. Would UNITY_DEF_DOMAIN support multiple domains?
-
ecdsa almost 11 yearsIn
strongswan.conf
you could configure more than one domain in a comma-separted list. But the Mac OS X client currently ignores all but the first. -
ecdsa almost 11 yearsWell, using
UNITY_SPLITDNS_NAME
it is actually possible to send multiple domains. I updated the answer.