Project

General

Profile

Issue #1147

Default path to resolv.conf is incorrectly configured on Fedora

Added by Robert Dyck about 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.3.3
Resolution:
No change required

Description

I am using a basic road warrior configuration on a laptop to connect to a LAN. I can communicate with hosts on the LAN and with global addresses if I use IP addresses directly. Using domain names does not work because no name servers can be reached. When the RW connects I can see name servers being placed in /etc/strongswan/resolv.conf. Strongswan was installed from a Fedora repo. It would seem that Strongswan was built using the --with-resolve-conf configure directive. I know the name servers are accessible because I can address them explicitly with "dig @w.x.y.z". The Strongswan version is 5.3.2 at either end.

Is some additional configuration option required when using a non standard location for resolv.conf?

History

#1 Updated by Tobias Brunner about 4 years ago

  • Category set to configuration
  • Status changed from New to Feedback

Is some additional configuration option required when using a non standard location for resolv.conf?

The resolve plugin uses the resolvconf(8) utility, if it is found in /sbin/resolvconf, otherwise, it uses the file configured with --with-resolv-conf or charon.plugins.resolve.file (defaults to <sysconfdir>/resolv.conf). I guess strongSwan is compiled with --sysconfdir=/etc/strongswan on Fedora, hence the use of /etc/strongswan/resolv.conf. So just change the option in strongswan.conf to point to the correct file.

You might want to report this to the Fedora package maintainers.

#2 Updated by Robert Dyck about 4 years ago

Fedora has a fondness for using the word strongswan. For example /etc/strongswan and /usr/libexec/strongswan. The startup script is called strongswan rather than ipsec.

The suggested fix did not work for me. Before you ask, yes I restarted strongswan.

root@red strongswan]# cat /etc/strongswan/strongswan.d/charon/resolve.conf
resolve {

    # File where to add DNS server entries.
    # file = /etc/resolv.conf
    file = /etc/strongswan/resolv.conf

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    resolvconf {

        # Prefix used for interface names sent to resolvconf(8).
        # iface_prefix = lo.inet.ipsec.

    }

}
installing DNS server 2001:my-prefix::1 to /etc/strongswan/resolv.conf
installing DNS server 192.168.1.254 to /etc/strongswan/resolv.conf
installing DNS server 75.153.176.1 to /etc/strongswan/resolv.conf
installing new virtual IP 192.168.1.74
installing new virtual IP 2001:my-prefix::5
connection 'home46' established successfully
[root@red strongswan]# dig google.com

; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

#3 Updated by Robert Dyck about 4 years ago

Your previous suggestion got me thinking about how strongswan manipulates resolv.conf. It happens that resolvconf was not installed and furthermore the Fedora repo did not have it. A search of rpmfind did not yield an rpm for Fedora. I found a source for openresolv. I performed the usual sequence of configure, make and make install. It still was not working but after a reinstall of strongswan from the repo I got it working.

installing DNS server 2001:my-prefix::1 via resolvconf
installing DNS server 192.168.1.254 via resolvconf
installing DNS server 75.153.176.1 via resolvconf
installing new virtual IP 192.168.1.71
installing new virtual IP 2001:my-prefix::5

#4 Updated by Tobias Brunner about 4 years ago

The suggested fix did not work for me.

You apparently misunderstood my suggestion. You'd have to set the config value to the correct path, which is probably /etc/resolv.conf. The path you configured (/etc/strongswan/resolv.conf) was already used by strongSwan on Fedora to no effect.

The Fedora package maintainers should probably configure strongSwan with --with-resolv-conf=/etc/resolv.conf to fix this properly.

#5 Updated by Robert Dyck about 4 years ago

Summary

This issue should probably be renamed. The real issue was the lack of resolvconf. The fact that the DNS servers were being loaded into a non standard location was just a side effect.

The resolve plugin gave no warning of a missing dependency.

Fedora's strongswan package missed this dependency.

Fedora does not have resolvconf in its repository.

#6 Updated by Tobias Brunner about 4 years ago

  • Subject changed from Domain name resolution not working when resolv.conf is not in the usual place to Default path to resolv.conf is incorrectly configured on Fedora

The real issue was the lack of resolvconf. The fact that the DNS servers were being loaded into a non standard location was just a side effect.

The resolve plugin gave no warning of a missing dependency.

There is no hard dependency on resolvconf, the plugin will just edit resolv.conf directly if it is not found. But for this to work it has to know the correct location of that file. Due to how the Fedora package maintainers configured strongSwan the plugin assumed the file is located in /etc/strongswan/resolv.conf, which is not where the system looks for DNS servers. To fix this (without having to install resolvconf) the correct path to resolv.conf has to be configured, either via strongswan.conf or the --with-resolv-conf configure option. The latter should preferably be done by the package maintainers so users don't have to fix this via strongswan.conf after installing the package.

#7 Updated by Tobias Brunner over 3 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF