Project

General

Profile

Issue #1043

Ubuntu client does not receive DNS server info?

Added by Quan Tong Anh over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
4.5.2
Resolution:
No change required

Description

- Ubuntu 12.04
- strongSwan: 4.5.2

ipsec.conf (server):

config setup
    nat_traversal=yes

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    left=x.y.z.t
    leftcert=server_cert.pem
    leftauth=pubkey
    leftfirewall=yes
    leftsubnet=0.0.0.0/0
    right=%any

conn android
    rightauth=eap-mschapv2
    rightsendcert=never
    rightsourceip=172.16.0.128/26
    eap_identity=%any
    auto=add

conn ios
    keyexchange=ikev1
    authby=xauthrsasig
    xauth=server
    rightsourceip=172.16.0.192/26
    pfs=no
    auto=add

/etc/strongswan.conf:

pluto {
    dns1 = 8.8.8.8
}

ipsec.conf (client):

conn strongSwan
    right=server.ip
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    rightid="C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=server, E=root@127.0.0.1" 
    leftsourceip=%config
    leftauth=eap
    leftid=ubuntu
    eap_identity=linux
    auto=add

ipsec up strongSwan:

initiating IKE_SA uba[1] to gateway.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.2.15[500] to gateway.ip[500]
received packet: from gateway.ip[500] to 10.0.2.15[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
sending cert request for "C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=vpn CA, E=root@127.0.0.1" 
establishing CHILD_SA uba
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.0.2.15[4500] to gateway.ip[4500]
received packet: from gateway.ip[4500] to 10.0.2.15[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=server, E=root@127.0.0.1" 
  using certificate "C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=server, E=root@127.0.0.1" 
  using trusted ca certificate "C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=vpn CA, E=root@127.0.0.1" 
checking certificate status of "C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=server, E=root@127.0.0.1" 
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=server, E=root@127.0.0.1' with RSA signature successful
server requested EAP_IDENTITY, sending 'linux'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 10.0.2.15[4500] to gateway.ip[4500]
received packet: from gateway.ip[4500] to 10.0.2.15[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x9B)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 10.0.2.15[4500] to gateway.ip[4500]
received packet: from gateway.ip[4500] to 10.0.2.15[4500]
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 10.0.2.15[4500] to gateway.ip[4500]
received packet: from gateway.ip[4500] to 10.0.2.15[4500]
parsed IKE_AUTH response 4 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'ubuntu' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 10.0.2.15[4500] to gateway.ip[4500]
received packet: from gateway.ip[4500] to 10.0.2.15[4500]
parsed IKE_AUTH response 5 [ AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
authentication of 'C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=server, E=root@127.0.0.1' with EAP successful
IKE_SA uba[1] established between 10.0.2.15[ubuntu]...gateway.ip[C=AC, ST=King George Island, L=Base Presidente Eduardo Frei Montalva, O=VPN, OU=Operations, CN=server, E=root@127.0.0.1]
scheduling reauthentication in 10217s
maximum IKE_SA lifetime 10757s
installing new virtual IP 172.16.0.129

Problem: DNS server was not pushed into the client side.

/etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.2.3

Sure, attr plugin is loaded on the server:

charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp
pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock

PS: OS X client worked fine.

History

#1 Updated by Quan Tong Anh over 9 years ago

I found the reason: since in strongSwan 4.x, each IKE version is handled by a separated daemon. So, we have to specify DNS servers for IKEv2 in charon section:

charon {
    dns1 = 8.8.8.8
}

pluto {
    dns1 = 8.8.8.8
}

Now it's ok:

maximum IKE_SA lifetime 10591s
installing DNS server 8.8.8.8 to /etc/resolv.conf
installing new virtual IP 172.16.0.129

#2 Updated by Tobias Brunner over 9 years ago

  • Category set to configuration
  • Status changed from New to Closed
  • Resolution set to No change required

Also available in: Atom PDF