subject:"\[strongSwan\] IKEv2\: how to set the DNS search attribute on the peer\?"

Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-04 Thread Harald Dunkel


On 7/1/19 3:06 PM, Tobias Brunner wrote:


Nobody forces you to use IPsec :-)



:-(

Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Tobias Brunner

Hi Harald,

>> Is a search domain actually required in your setup?  Because, as I said,
>> there is no standardized IKEv2 attribute for it at all.
>>
> 
> Yes, definitively. My colleages are used to openvpn and its NetworkManager
> plugin, supporting several "dhcp-options", including domain search list.

That doesn't answer the question whether it is actually required.  Just
because it's an option in some other tool, doesn't mean it is actually
used (are people really that lazy and don't type full domain names?
what about TLS?).

> IPsec configuration on a road warrior laptop appears to be more difficult.

Nobody forces you to use IPsec :-)

>  From an admin point of view, it would be much easier and less error-prone
> to define the search list at a central location on the gateway than in the
> Network Manager gui on every road warrior laptop.

Well, there is no separate attribute to exchange it, so...  I guess a
client that supports INTERNAL_DNS_DOMAIN attributes could install the
same as search domains (maybe optionally) but not sure if that's what
people expect or if that would have some side-effects (not sure if NM
does that already as it only has one option that takes multiple domain
names, maybe it uses them for both, or it only supports search domains).

Scripting/importing NM configs might also be an option to make local
configuration easier for users.

> What I meant is, would you agree that strongswan could define its own private
> extension for IKEv2, similar to Cisco's IKEv1 extension? Obviously strongswan
> can forward some DNS server IP addresses to the peer, using the remote
> resolvconf tool to setup /etc/resolv.conf. I thought it might be just a small
> step to push a domain search string to the peer as well.

I guess, but it's not a nice solution at all (identifiers from the
private use range are very problematic and require exchange vendor ID
payloads).  You could go the IETF route and write an Internet Draft that
defines such a configuration attribute if you really see a need for it.

> As indicated before, I wouldn't care about the documents and RFCs *not*
> specifying attributes. Strongswan is highly compliant by supporting the 
> standard
> features and attributes, but supporting some extra attributes wouldn't hurt,
> IMHO.

I don't agree with that at all.  But you are free to write your own
plugin that does whatever you want and deploy that to your clients.

Regards,
Tobias

Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Tobias Brunner

Hi Harald,

> using IKEv2 and NetworkManager I wonder how the DNS domain search
> attribute is supposed to be added to /etc/resolv.conf?

There is no such attribute for IKEv2.

> My attr.conf on the IPsec gateway says
> 
> attr {
>  dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
>  nbns = 10.0.98.253
>  28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
> example.com
>  28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
> example.com
>  load = yes
> 
> }

The (proprietary Cisco Unity) IKEv1 attributes you assigned have
different purposes.  The first sets the default search domain, the other
is for split-DNS.  For the latter there now actually is an RFC for IKEv2
(RFC 8598) but strongSwan currently doesn't support it.  Well, you can
assign the INTERNAL_DNS_DOMAIN attribute to clients using the same
numeric assignment (25 is the identifier), but no client plugin
currently requests or handles such attributes.  In particular, the NM
plugin currently has no support for such internal domains (no idea if
NM_VPN_PLUGIN_IP4/6_CONFIG_DOMAINS could be used for that, or if that
e.g. just sets multiple search domains).

> AFAICT NetworkManager would like to call resolvconf itself, but apparently
> it is missing the DNS domain.

Is a search domain actually required in your setup?  Because, as I said,
there is no standardized IKEv2 attribute for it at all.

> Of course the documentation states: "Cisco Unity extensions for IKEv1"
> but I don't see any reason why this shouldn't work for IKEv2 as well
> (except for not being listed in some document).

Why would configuration attributes for a proprietary IKEv1 extension,
with numbers from the private use range, work with IKEv2?  Granted,
since it's not possible to set an IKE version for custom attributes in
the attr plugin's configuration, it will just assign them as configured
to any client that requests a virtual IP.  But a client that handles
them would technically be non-compliant.  Anyway, strongSwan actually
doesn't handle these Unity attributes as client at all, not even for IKEv1.

Regards,
Tobias

[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Harald Dunkel


Hi folks,

using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?

My attr.conf on the IPsec gateway says

attr {
dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
nbns = 10.0.98.253
28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
load = yes

}

AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain. syslog on my laptop tells me

Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5404] audit: op="connection-activate" 
uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 
result="success"
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5435] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Saw the service appear; activating connection
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5633] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (ConnectInteractive) reply received
Jul  1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager 
connection ipsecgate IKEv2
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.6125] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: starting (3)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7119] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: VPN Gateway: 5.145.142.209
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: Tunnel Device: (null)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: IPv4 configuration:
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Prefix: 32
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Point-to-Point Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Maximum Segment Size (MSS): 0
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Forbid Default Route: yes
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.122.9
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.123
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.124
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 127.0.0.1
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   DNS Domain: '(none)'
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: No IPv6 configuration
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP Config Get) complete
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: started (4)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7225] dns-mgr: 
Writing DNS information to /sbin/resolvconf

Of course the documentation states: "Cisco Unity extensions for IKEv1"
but I don't see any reason why this

[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

2019-07-01 Thread Harald Dunkel


Hi folks,

using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?

My attr.conf on the IPsec gateway says

attr {
dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
nbns = 10.0.98.253
28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
load = yes

}

AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain. syslog on my laptop tells me

Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5404] audit: op="connection-activate" 
uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 
result="success"
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5435] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Saw the service appear; activating connection
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.5633] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (ConnectInteractive) reply received
Jul  1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager 
connection ipsecgate IKEv2
Jul  1 08:25:19 ppcl001 NetworkManager[992]:   [1561962319.6125] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: starting (3)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7119] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: VPN Gateway: 5.145.142.209
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: Tunnel Device: (null)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: IPv4 configuration:
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Prefix: 32
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Point-to-Point Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Maximum Segment Size (MSS): 0
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Forbid Default Route: yes
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.122.9
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.123
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.124
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 127.0.0.1
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   DNS Domain: '(none)'
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: No IPv6 configuration
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP Config Get) complete
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: started (4)
Jul  1 08:25:26 ppcl001 NetworkManager[992]:   [1561962326.7225] dns-mgr: 
Writing DNS information to /sbin/resolvconf

Of course the documentation states: "Cisco Unity extensions for IKEv1"
but I don't see any reason why this

Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?

[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

5 matches

Site Navigation

Mail list logo

Footer information