The server needs the attr plugin (ipsec statusall should list it)
and up to two DNS and WINS servers can be defined in strongswan.conf:
# /etc/strongswan.conf - strongSwan configuration file
charon {
dns1 = 62.2.17.60
dns2 = 62.2.24.162
nbns1 = 10.10.1.1
nbns2 = 10.10.0.1
}
On the client just the resolv-conf plugin is required (ipsec
statusall should list it) The DNS servers are appended to
/etc/resolv.conf or the file you specified with the compile
option --with-resolv-conf=. When the tunnel goes down,
the DNS information is removed.
Regards
Andreas
weiping deng wrote:
> Hi Andreas,
>
> Thanks for your quick response and important information about the
> configuration payload.
> I want to affirm the following item with you further:
> Whether I need to configure nothing in ipsec.conf or strongswan.conf and
> only need to start the "resolv and attr" plugins in server side and peer
> side?
>
> Best Regards,
> David
> -----邮件原件-----
> 发件人: Andreas Steffen [mailto:[email protected]]
> 发送时间: 2009年9月24日 15:03
> 收件人: weiping deng
> 抄送: 'Martin Willi'; [email protected]
> 主题: Re: Some Question about the configuration payload
>
> weiping deng wrote:
>> Hi Both,
>>
>> Excuse me. I have the following questions about the configuration payload:
>>
>> Q1:
>>
>> In current version of strongswan, whether the internal DNS can be
>> assigned by server when peer initiates the request for it with the same
>> configuration payload for virtual IP request?
>>
>> If internal DNS can be assigned, where I can get this information? And
>> If I want to obtain this information for further handling, how can I do?
>>
> Yes, internal DNS servers can be assigned to a strongSwan client via
> the configuration payload. A sample scenario is shown here:
>
> http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log
>
> By default the DSN servers are added to /etc/resolv.conf by the
> resolv-conf plugin. The destination file can be changed via the
>
> --with-resolv-conf=<file>
>
> configuration option. strongSwan as a server can read DNS and WINS
> server information from /etc/strongswan.conf using the attr plugin:
>
> http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strong
> swan.conf
>
> Both the attr and resolv-conf (renamed to "resolve" starting with
> release 4.3.5)
> plugins are enabled by default.
>
>> Q2:
>>
>> I have always a question, ie: as the description of RFC4306 (IKEv2),
>> server can assigned the internal subnet and corresponding netmask to
>> peer. Why we need to configure the rightsubnet in peer’s ipsec.conf?
>>
>> Is this item can be removed from ipsec.conf? or maybe this item is not
>> be used to configure internal subnet and can be set as random value �C
>> (in fact, it can not be work when I set a random value to
>> right/leftsubnet).
>>
> on the client side you can define right|leftsubnet=0.0.0.0/0
> and the server will narrow the range down to its own definition.
> "Narrowing" is an IKEv2 feature.
>
>>
>>
>> Look forward to your answer, thanks.
>>
>> David
>
> Regards
>
> Andreas
>
> ======================================================================
> Andreas Steffen [email protected]
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
--
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
