Hi Harald, > using IKEv2 and NetworkManager I wonder how the DNS domain search > attribute is supposed to be added to /etc/resolv.conf?
There is no such attribute for IKEv2. > My attr.conf on the IPsec gateway says > > attr { > dns = 10.0.122.9, 10.0.96.123, 10.0.96.124 > nbns = 10.0.98.253 > 28674 = ipsec.example.com ac.example.com vs.example.com ws.example.com > example.com > 28675 = ipsec.example.com ac.example.com vs.example.com ws.example.com > example.com > load = yes > > } The (proprietary Cisco Unity) IKEv1 attributes you assigned have different purposes. The first sets the default search domain, the other is for split-DNS. For the latter there now actually is an RFC for IKEv2 (RFC 8598) but strongSwan currently doesn't support it. Well, you can assign the INTERNAL_DNS_DOMAIN attribute to clients using the same numeric assignment (25 is the identifier), but no client plugin currently requests or handles such attributes. In particular, the NM plugin currently has no support for such internal domains (no idea if NM_VPN_PLUGIN_IP4/6_CONFIG_DOMAINS could be used for that, or if that e.g. just sets multiple search domains). > AFAICT NetworkManager would like to call resolvconf itself, but apparently > it is missing the DNS domain. Is a search domain actually required in your setup? Because, as I said, there is no standardized IKEv2 attribute for it at all. > Of course the documentation states: "Cisco Unity extensions for IKEv1" > but I don't see any reason why this shouldn't work for IKEv2 as well > (except for not being listed in some document). Why would configuration attributes for a proprietary IKEv1 extension, with numbers from the private use range, work with IKEv2? Granted, since it's not possible to set an IKE version for custom attributes in the attr plugin's configuration, it will just assign them as configured to any client that requests a virtual IP. But a client that handles them would technically be non-compliant. Anyway, strongSwan actually doesn't handle these Unity attributes as client at all, not even for IKEv1. Regards, Tobias