Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?
On 7/1/19 3:06 PM, Tobias Brunner wrote: Nobody forces you to use IPsec :-) :-(
Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?
Hi Harald, >> Is a search domain actually required in your setup? Because, as I said, >> there is no standardized IKEv2 attribute for it at all. >> > > Yes, definitively. My colleages are used to openvpn and its NetworkManager > plugin, supporting several "dhcp-options", including domain search list. That doesn't answer the question whether it is actually required. Just because it's an option in some other tool, doesn't mean it is actually used (are people really that lazy and don't type full domain names? what about TLS?). > IPsec configuration on a road warrior laptop appears to be more difficult. Nobody forces you to use IPsec :-) > From an admin point of view, it would be much easier and less error-prone > to define the search list at a central location on the gateway than in the > Network Manager gui on every road warrior laptop. Well, there is no separate attribute to exchange it, so... I guess a client that supports INTERNAL_DNS_DOMAIN attributes could install the same as search domains (maybe optionally) but not sure if that's what people expect or if that would have some side-effects (not sure if NM does that already as it only has one option that takes multiple domain names, maybe it uses them for both, or it only supports search domains). Scripting/importing NM configs might also be an option to make local configuration easier for users. > What I meant is, would you agree that strongswan could define its own private > extension for IKEv2, similar to Cisco's IKEv1 extension? Obviously strongswan > can forward some DNS server IP addresses to the peer, using the remote > resolvconf tool to setup /etc/resolv.conf. I thought it might be just a small > step to push a domain search string to the peer as well. I guess, but it's not a nice solution at all (identifiers from the private use range are very problematic and require exchange vendor ID payloads). You could go the IETF route and write an Internet Draft that defines such a configuration attribute if you really see a need for it. > As indicated before, I wouldn't care about the documents and RFCs *not* > specifying attributes. Strongswan is highly compliant by supporting the > standard > features and attributes, but supporting some extra attributes wouldn't hurt, > IMHO. I don't agree with that at all. But you are free to write your own plugin that does whatever you want and deploy that to your clients. Regards, Tobias
Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?
Hi Harald, > using IKEv2 and NetworkManager I wonder how the DNS domain search > attribute is supposed to be added to /etc/resolv.conf? There is no such attribute for IKEv2. > My attr.conf on the IPsec gateway says > > attr { > dns = 10.0.122.9, 10.0.96.123, 10.0.96.124 > nbns = 10.0.98.253 > 28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com > example.com > 28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com > example.com > load = yes > > } The (proprietary Cisco Unity) IKEv1 attributes you assigned have different purposes. The first sets the default search domain, the other is for split-DNS. For the latter there now actually is an RFC for IKEv2 (RFC 8598) but strongSwan currently doesn't support it. Well, you can assign the INTERNAL_DNS_DOMAIN attribute to clients using the same numeric assignment (25 is the identifier), but no client plugin currently requests or handles such attributes. In particular, the NM plugin currently has no support for such internal domains (no idea if NM_VPN_PLUGIN_IP4/6_CONFIG_DOMAINS could be used for that, or if that e.g. just sets multiple search domains). > AFAICT NetworkManager would like to call resolvconf itself, but apparently > it is missing the DNS domain. Is a search domain actually required in your setup? Because, as I said, there is no standardized IKEv2 attribute for it at all. > Of course the documentation states: "Cisco Unity extensions for IKEv1" > but I don't see any reason why this shouldn't work for IKEv2 as well > (except for not being listed in some document). Why would configuration attributes for a proprietary IKEv1 extension, with numbers from the private use range, work with IKEv2? Granted, since it's not possible to set an IKE version for custom attributes in the attr plugin's configuration, it will just assign them as configured to any client that requests a virtual IP. But a client that handles them would technically be non-compliant. Anyway, strongSwan actually doesn't handle these Unity attributes as client at all, not even for IKEv1. Regards, Tobias
[strongSwan] IKEv2: how to set the DNS search attribute on the peer?
Hi folks, using IKEv2 and NetworkManager I wonder how the DNS domain search attribute is supposed to be added to /etc/resolv.conf? My attr.conf on the IPsec gateway says attr { dns = 10.0.122.9, 10.0.96.123, 10.0.96.124 nbns = 10.0.98.253 28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com 28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com load = yes } AFAICT NetworkManager would like to call resolvconf itself, but apparently it is missing the DNS domain. syslog on my laptop tells me Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.5404] audit: op="connection-activate" uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 result="success" Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.5435] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Saw the service appear; activating connection Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.5633] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (ConnectInteractive) reply received Jul 1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager connection ipsecgate IKEv2 Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.6125] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: starting (3) Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7119] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: VPN Gateway: 5.145.142.209 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Tunnel Device: (null) Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: IPv4 configuration: Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Address: 10.0.122.66 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Prefix: 32 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Point-to-Point Address: 10.0.122.66 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Maximum Segment Size (MSS): 0 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Forbid Default Route: yes Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.122.9 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.96.123 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.96.124 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 127.0.0.1 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: DNS Domain: '(none)' Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: No IPv6 configuration Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP Config Get) complete Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: started (4) Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7225] dns-mgr: Writing DNS information to /sbin/resolvconf Of course the documentation states: "Cisco Unity extensions for IKEv1" but I don't see any reason why this
[strongSwan] IKEv2: how to set the DNS search attribute on the peer?
Hi folks, using IKEv2 and NetworkManager I wonder how the DNS domain search attribute is supposed to be added to /etc/resolv.conf? My attr.conf on the IPsec gateway says attr { dns = 10.0.122.9, 10.0.96.123, 10.0.96.124 nbns = 10.0.98.253 28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com 28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com example.com load = yes } AFAICT NetworkManager would like to call resolvconf itself, but apparently it is missing the DNS domain. syslog on my laptop tells me Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.5404] audit: op="connection-activate" uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 result="success" Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.5435] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Saw the service appear; activating connection Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.5633] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (ConnectInteractive) reply received Jul 1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager connection ipsecgate IKEv2 Jul 1 08:25:19 ppcl001 NetworkManager[992]: [1561962319.6125] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: starting (3) Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7119] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: VPN Gateway: 5.145.142.209 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Tunnel Device: (null) Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: IPv4 configuration: Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Address: 10.0.122.66 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Prefix: 32 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal Point-to-Point Address: 10.0.122.66 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7126] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Maximum Segment Size (MSS): 0 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Forbid Default Route: yes Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.122.9 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.96.123 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 10.0.96.124 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: Internal DNS: 127.0.0.1 Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: DNS Domain: '(none)' Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7127] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: Data: No IPv6 configuration Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN connection: (IP Config Get) complete Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7134] vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate IKEv2",0]: VPN plugin: state changed: started (4) Jul 1 08:25:26 ppcl001 NetworkManager[992]: [1561962326.7225] dns-mgr: Writing DNS information to /sbin/resolvconf Of course the documentation states: "Cisco Unity extensions for IKEv1" but I don't see any reason why this