Issue #2130
Android client does not update DNS
Description
Strongswan 1.6.2 on Android 7
The server ipsec.conf is setup to assign both ipv4 and ipv6 addresses and assign DNS servers also with both address families.
After a successful connection I can reach both ipv4 and ipv6 addresses, on the LAN and globally. As part of my testing I tried test-ipv6.com. The tests passed but I received a warning that it would not work on an ipv6 only network due to the lack of ipv6 DNS.
From a terminal on the Android I entered "getprop | grep dns" before and after a IPSEC connection. There was no change. The DNS server assigned by the carrier was the only one listed. The log file from Android is attached. Sensitive bits have been obfuscated.
A near identical connection for a Linux road warrior works as expected.
conn nexus-6p
leftid=@boggus.com
leftcert=slim-server.crt
leftsubnet=0.0.0.0/0,::/0
rightcert=nexus-6p.crt
rightsourceip=%dhcp,2001::1e67:58ff:fe49:d489
rightdns=192.168.1.254,2001:568:ff09:10c::53
leftfirewall=yes
auto=add
History
#1 Updated by Noel Kuntze almost 9 years ago
I can reproduce this on Android 6 with app version 1.6.2 and a swanctl based configuration.
#2 Updated by Tobias Brunner almost 9 years ago
- Description updated (diff)
- Category set to android
- Status changed from New to Feedback
From a terminal on the Android I entered "getprop | grep dns" before and after a IPSEC connection. There was no change.
That's because these properties are not really used anymore. At least not when installing DNS servers via VpnService API. I think this is now handled by netd and you might be able to get some information via ndc utility (e.g. the monitor command). Other than that I can't say much as we really only pass the received DNS servers to the VpnService.Builder instance. If the installation or the use of these DNS servers does not work as intended, please report that issue to Google.
#3 Updated by Robert Dyck almost 9 years ago
With my use case the lack of DNS update should not be a problem. If I find myself on an ipv6 only network it is safe to assume that the carrier will assign a DNS server reachable via ipv6. At least we now have this documented. Some use cases may require a custom DNS server.
#4 Updated by Tobias Brunner almost 9 years ago
If I find myself on an ipv6 only network it is safe to assume that the carrier will assign a DNS server reachable via ipv6.
In which case you can't use the strongSwan app as it can't connect to gateways on IPv6 (well, it could but the Linux kernel currently does not support UDP encapsulation for IPv6, which is a requirement of the app, see #892).
#5 Updated by Robert Dyck almost 9 years ago
Why can the app not be changed? The UDP is not needed. My understanding is that we use UDP to traverse NAT. UDP uses ports.
As an experiment I manually created an IPSEC ESP tunnel between hosts on the LAN. This was IPV6 inside IPV6.
#6 Updated by Tobias Brunner almost 9 years ago
Why can the app not be changed? The UDP is not needed. My understanding is that we use UDP to traverse NAT. UDP uses ports.
The app only has access to the VpnService API, so it has to use the existing UDP socket (used for IKE) to send ESP packets. It can't send plain ESP packets (which would require something like a RAW or PACKET socket).
As an experiment I manually created an IPSEC ESP tunnel between hosts on the LAN. This was IPV6 inside IPV6.
Sure, that's no problem with the kernel's IPsec stack. But that's not available to the unprivileged Android app.
#7 Updated by Robert Dyck almost 9 years ago
Thank you for the explanation and your indulgence.
#8 Updated by Tobias Brunner over 8 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required