[strongSwan] installing DNS server %any to /etc/resolv.conf
Hi, I am getting this strange log when I setup a strongswan tunnel installing DNS server %any to /etc/resolv.conf And it adds this line to /etc/resolv.conf: nameserver %any # by strongSwan, from C=UK, ST= ... Does anyone know what is causing this? I am assuming it is a mis-configuration or bug. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
I should add that we are not trying to use DNS. As far as we can see, we are not setting any DNS settings, in ipsec.conf or strongswan.conf, in neither the gateway nor the client. Dimitrios Siganos wrote: Hi, I am getting this strange log when I setup a strongswan tunnel installing DNS server %any to /etc/resolv.conf And it adds this line to /etc/resolv.conf: nameserver %any # by strongSwan, from C=UK, ST= ... Does anyone know what is causing this? I am assuming it is a mis-configuration or bug. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
Hi, I am assuming it is a mis-configuration or bug. Maybe both. It seems that your client requests a DNS server, but your server returns an empty or a 0.0.0.0 address. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic Some time passed since 4.2.11, probably we handle it better now. If you want to push DNS information to your client, you'll need a more recent version on the gateway. The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 4.3.3 always includes a DNS request if you request a virtual IP. But you can skip the installation by disabling the resolve plugin during ./configure. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
Hi Martin, It is a bug in strongswan. The bug exists in the latest git code as well. In the function: static bool handle(private_resolve_handler_t *this, identification_t *server, configuration_attribute_type_t type, chunk_t data) located inside the file: http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/plugins/resolve/resolve_handler.c The DNS IP address provided by the IPsec gateway is printed out (using the %H mechanism) without any checking. But it looks like (I haven't checked) %H prints %any when it is given an IP address of 0.0.0.0 or similar. I can confirm that my IPsec gateway returns 0.0.0.0 as the DNS. It should either print out 0.0.0.0 or nothing at all. I am not sure which is more appropriate. Also looking at the source I can see a possible leak. If 'in' is opened successfully but 'out' cannot be opened then 'in' is leaked. Regards, Dimitrios Siganos Martin Willi wrote: Hi, I am assuming it is a mis-configuration or bug. Maybe both. It seems that your client requests a DNS server, but your server returns an empty or a 0.0.0.0 address. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic Some time passed since 4.2.11, probably we handle it better now. If you want to push DNS information to your client, you'll need a more recent version on the gateway. The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 4.3.3 always includes a DNS request if you request a virtual IP. But you can skip the installation by disabling the resolve plugin during ./configure. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
It should either print out 0.0.0.0 or nothing at all. I am not sure which is more appropriate. 0.0.0.0 is almost as invalid as %any, installing it does not make sense. I pushed a patch that does not install such servers. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users