I've configured a Strongswan server on CentOS 7 for roadwarrior situations and it works perfectly.
But I want the Windows 10 clients get the domain with suffix DNS and I didn't find any way to do it. I've tried with the WINS server, but it doesn't do wwhat I want.
For example, when I try "nslookup my-server", I would like the connection add the suffix to get the right results. In the actual situation, the nslookup fails.
Furthermore, the DNS used is not the DNS transferred by IPsec.
ipsec.conf :
conn %default
mobike=yes
keyexchange=ikev2
forceencaps=yes
auto=add
conn IKEv2-eap
esp=aes256-sha1-modp1024!
ike=aes256-sha384-modp1024!
leftauth=pubkey
leftfirewall=yes
leftcert=gwCert.pem
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.3.0.1-10.3.0.50
rightauth=eap-mschapv2
eap_identity=%identity
strongswan.conf :
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
attr {
dns = 134.158.128.2, 134.158.128.6
nbns = 134.158.130.183, 134.158.130.156
}
}
}
I have OpenVPN and the domain is "transfer" through the VPN and my nslookup works perfectly. I would like to do the same with Strongswan.
Best Answer
There is no IKEv2 configuration attribute to assign a set of default DNS suffixes.
While there is a new extension (RFC 8598) that allows configuring split-DNS (using the VPN-assigned DNS servers only for specified domains) it doesn't say anything specifically about DNS suffixes (I guess it's up to the clients whether they also configure the domains as such).
Anyway, that extension won't help you because Windows currently doesn't support it.
However, it's possible to manually set a single DNS suffix on the client via
Set-VpnConnectionPowerShell cmdlet:The problem that VPN-provided DNS servers are not used might be a general issue in Windows 10 (no idea if dependent on the version), see e.g. this question on superuser.com, or search for "Windows 10 VPN DNS leak" or similar.