Hi, I'm still having this problem. Any suggestions about things I could do to debug it further?
Thanks. RD On Fri, Jul 11, 2014 at 9:45 PM, Raoul Duke <[email protected]> wrote: > Hi, > > I'm using strongswan 5.1.1 with IOS devices and split tunneling via > the Unity plugin. > > Here is the relevant snippet of my strongswan.conf: > > dns1 = 10.99.17.4 > dns2 = 10.99.18.4 > > cisco_unity = yes > > plugins { > attr { > split-include = 10.99.0.0/16 > } > > The DNS server IPs are only available on the internal network. > > My goal is to be able to access a webserver at 10.99.20.100 via a DNS > name (foo.bar.com, lets say). The private DNS servers know how to > resolve foo.bar.com to 10.99.20.100 > > My problem is: when I am on the VPN the split tunnel will allow me to > hit the webserver by IP address (10.99.20.100) but *not* by DNS name. > > This suggests to me that the DNS requests are not going to the private > DNS server are are either using my wifi DNS servers (which won't be > able to resolve the name) or the DNS requests are getting tunneled but > black-holed somehow. My bet is the former but I have not verified it > via packet capture. > > Since the split-include subnet encompasses the IPs of the DNS servers > so I am at a loss to understand what the issue could be - and IOS > clients are not too simple to debug in this regard. Is there > something simple I am missing here? > > When I use full tunnel mode (rather than split) for IOS the DNS name > resolves fine, which indicates to me that in the 0.0.0.0/0 case the > private DNS servers are being used. > > Also, when using ikev2 with Android (strongswan client) I can > configure a lefsubnet of 10.99.0.0/16 and get the behaviour I expect > in that case i.e. I can use the domain name to hit the webserver. > > Is my configuration/expectations in the IOS case correct? is there > anything else I need to do to force the use of the private DNS server > in the split tunnel case. > > Or otherwise - I'd be grateful for any suggestions / ideas / pointers > on how to troubleshoot this? > > Thanks. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
