[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

Harald Dunkel Mon, 01 Jul 2019 00:44:37 -0700

Hi folks,

using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?


My attr.conf on the IPsec gateway says

attr {
    dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
    nbns = 10.0.98.253
    28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
    28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com 
example.com
    load = yes

}

AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain. syslog on my laptop tells me

Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.5404] audit: op="connection-activate" 
uuid="e3e13c44-f079-42d9-9d40-5156082f2914" name="ipsecgate IKEv2" pid=5931 uid=6502 
result="success"
Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.5435] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Saw the service appear; activating connection
Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.5633] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (ConnectInteractive) reply received
Jul  1 08:25:19 ppcl001 charon-nm: 05[CFG] received initiate for NetworkManager 
connection ipsecgate IKEv2
Jul  1 08:25:19 ppcl001 NetworkManager[992]: <info>  [1561962319.6125] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: starting (3)
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7119] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP4 Config Get) reply received from old-style plugin
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: VPN Gateway: 5.145.142.209
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: Tunnel Device: (null)
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: IPv4 configuration:
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Prefix: 32
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal Point-to-Point Address: 10.0.122.66
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7126] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Maximum Segment Size (MSS): 0
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Forbid Default Route: yes
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.122.9
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.123
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 10.0.96.124
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   Internal DNS: 127.0.0.1
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data:   DNS Domain: '(none)'
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7127] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: Data: No IPv6 configuration
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN connection: (IP Config Get) complete
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7134] 
vpn-connection[0x55858e7ca870,e3e13c44-f079-42d9-9d40-5156082f2914,"ipsecgate 
IKEv2",0]: VPN plugin: state changed: started (4)
Jul  1 08:25:26 ppcl001 NetworkManager[992]: <info>  [1561962326.7225] dns-mgr: 
Writing DNS information to /sbin/resolvconf

Of course the documentation states: "Cisco Unity extensions for IKEv1"
but I don't see any reason why this shouldn't work for IKEv2 as well
(except for not being listed in some document).

strongswan is version 5.7.2 on both peers. strongswan network manager
plugin is version 1.4.4.


Every insightful comment is highly appreciated

Harri

[strongSwan] IKEv2: how to set the DNS search attribute on the peer?

Reply via email to