3

I'd like to set up an IPSec responder (VPN server) for OSX desktops and laptops.

Everything seems to work fine, except I cannot push a DNS server to be used system-wide on the initiator (VPN client).

I'm using Charon's IKEv1 support in StrongSwan 5.0.4, with Unity extensions, and OSX machines are configured graphically using "Cisco VPN" in Network Preferences.

I did try to change the service order on the client to put the VPN at the top, but that didn't help.

In scutils --dns, the resolver only appears as resolver #1 in the DNS configuration (for scoped queries) section, not in the first section DNS configuration.

Here are the relevant config files:

/etc/ipsec.conf:

conn %default
  ikelifetime=24h
  keylife=1h
  rekeymargin=10m
  keyingtries=3
  keyexchange=ikev1
  left=%defaultroute
  auto=add

conn main
  leftfirewall=yes
  leftsubnet=0.0.0.0/0
  leftauth=psk
  right=%any
  rightauth=psk
  rightauth2=xauth-pam
  rightsourceip=172.17.0.0/22

/etc/strongswan.conf:

charon {
  threads = 16
  cisco_unity = yes
  plugins {
    attr {
      dns = 172.16.0.23
      split-include = 10.0.0.0/8, 172.16.0.23/32
      split-exclude = 10.65.36/22
    }
    xauth-pam {
      pam_service = ipsec
    }
  }
}
Pierre Carrier
  • 2,607
  • 17
  • 28

1 Answers1

6

A couple of comments on your config:

  • The subnet you configured for split-exclude is invalid. It should probably be

    split-exclude = 10.65.36.0/22

  • If you use the unity plugin you should configure

    leftsubnet=10.0.0.0/8, 172.16.0.23/32

    instead of split-include in strongswan.conf. This allows assigning different subnets per connection.

  • Likewise, DNS servers may be assigned per connection via the rightdns option.

Regarding your main question, Mac OS X installs DNS servers unscoped only if all traffic is sent via VPN, that is, if leftsubnet=0.0.0.0/0 is configured and the client does not receive any UNITY_SPLIT_INCLUDE attributes.

In order to properly resolve host names at your remote site, I suggest you send the proper search domain to the client via a UNITY_DEF_DOMAIN attribute, for instance:

charon {
    plugins {
        attr {
            28674 = strongswan.org
        }
    }
}

This attribute only takes a single domain name. If multiple domains are required the UNITY_SPLITDNS_NAME attribute can be used:

charon {
    plugins {
        attr {
            28675 = strongswan.org hsr.ch
        }
    }
}

It takes a space-separated list of domain names that is sent to the client as is (results in a resolver for each domain on the client).

ecdsa
  • 3,800
  • 12
  • 26
  • Brilliant. Would UNITY_DEF_DOMAIN support multiple domains? – Pierre Carrier Jul 08 '13 at 13:34
  • In `strongswan.conf` you could configure more than one domain in a comma-separted list. But the Mac OS X client currently ignores all but the first. – ecdsa Jul 08 '13 at 14:04
  • 2
    Well, using `UNITY_SPLITDNS_NAME` it is actually possible to send multiple domains. I updated the answer. – ecdsa Jul 08 '13 at 14:19