ipsec systemd-resolved support

[Ypnose]

System :

• OS: Ubuntu 22.04.1
• Kernel version: e.g. 5.15
• strongSwan version(s): 5.9.5
• Tested/confirmed with the latest version: no

Describe the bug
In a IKEv2 roadwarrior setup, the client doesn't update DNS when the tunnel is launched with ipsec start and when systemd-resolved is used.

To Reproduce
Steps to reproduce the behavior:

1. Launch the tunnel with ipsec start --no-fork
2. The client is successfully connected
3. Internet access doesn't work, as the remote DNS server is not used

Expected behavior
The client should be able to resolve domains

Logs/Backtraces
resolvectl status still shows same DNS as if the client was not connected.

Additional context
macOS clients using the same server have no problems. resolvctl can be invoked as resolvconf, it doesn't seem to be called here. I have to use a wrapper like this :

#!/bin/bash
set -e

trap 'clean_dns' ERR INT EXIT

clean_dns() {
    if [[ -e /etc/systemd/resolved.conf.d/ike.conf ]]; then
        rm /etc/systemd/resolved.conf.d/ike.conf
        systemctl restart systemd-resolved
    fi
}

mkdir -p /etc/systemd/resolved.conf.d/
printf '[Resolve]\nDNS=10.10.10.1\nDomains=my.domain.tld ~.\n' \
    >/etc/systemd/resolved.conf.d/ike.conf
( sleep 4 && systemctl restart systemd-resolved ) &
sudo ipsec start --nofork

exit

Enforcing DNS IP and domain is not convenient, especially when the server directly provides them.

[tobiasbrunner]

Is the resolve plugin loaded? Is resolveconf available (and provided by systemd)? Are there any errors logged when DNS servers are handled? Although, since you are using Ubuntu 22.04, I don't think it's the same issue as #1353.

[Ypnose]

Thanks for your help, it is very much appreciated.
Yes, resolve plugin is loaded :

00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters

resolvconf is not directly available on the system as is, but as resolvectl is a multi-call binary, creating a link called resolvconf to resolvectl allows us to see this message :

resolvconf -a INTERFACE < FILE
resolvconf -d INTERFACE

Register DNS server and domain configuration with systemd-resolved.

  -h --help     Show this help
     --version  Show package version
  -a            Register per-interface DNS server and domain data
  -d            Unregister per-interface DNS server and domain data
  -f            Ignore if specified interface does not exist
  -x            Send DNS traffic preferably over this interface

This is a compatibility alias for the resolvectl(1) tool, providing native
command line compatibility with the resolvconf(8) tool of various Linux
distributions and BSD systems. Some options supported by other implementations
are not supported and are ignored: -m, -p, -u. Various options supported by other
implementations are not supported and will cause the invocation to fail:
-I, -i, -l, -R, -r, -v, -V, --enable-updates, --disable-updates,
--updates-are-enabled.

See the resolvectl(1) man page for details.

Unfortunately, it doesn't seem to modify DNS accordingly, when I verify it with resolvectl status.

[tobiasbrunner]

Where did you create that symlink? Note that the resolve plugin currently only checks in /sbin.

[Ypnose]

Good point. The link was in /usr/bin/ instead of /usr/sbin/.
Now, ipsec sees resolvconf but I have this error :

resolvconf: Failed to set DNS configuration: Unit dbus-org.freedesktop.network1.service not found

and then the revert also fails.

This service is not present on the system in /lib/systemd/system, nor /etc/systemd/system and not found with systemctl cat. I wonder if it shouldn't be set through dbus-org.freedesktop.resolve1.service.

[tobiasbrunner]

Sounds like systemd-networkd is not running (might be a dependency of systemd-resolved, but that would beg the question why it worked when you configured in manually, maybe it's only is an issue when configuring DNS servers via resolvectl/resolvconf as that uses the D-Bus interface).

[Ypnose]

Yes, I think so. systemd-resolved has no dependency and only wants nss-lookup.target. Setting up DNS through dbus-org.freedesktop.resolve1.service as a fallback, sounds redudant to you ?

[tobiasbrunner]

You mean directly via D-Bus? I've currently no plans to implement that. And resolvectl is meant to do that already. So it might not change anything if systemd-resolved is the one using org.freedesktop.network1 (I think resolvectl only uses the org.freedesktop.resolve1 interface).

[Ypnose]

Ok, I see. I was thinking I could write a resolvconf wrapper to dynamically handle DNS IP server and domains. I didn't check sources yet, but do you think something like this could be possible ? I just need to see how resolve plugin passes values.
EDIT: OK, I see how values are passed.

[tibz7]

There is a similar problem on fedora 38.
If i start the vpn with strongswan start the resolvectl is not updated.

aron[94733]: 12[IKE] authentication of 'gateway.meteoblue.com' with EAP successful
août 03 15:34:10 T15p charon[94733]: 12[IKE] installing DNS server 172.20.101.9 via resolvconf
août 03 15:34:10 T15p charon[94733]: 12[IKE] resolvconf: Dropped protocol specifier '.ipsec' from 'lo.ipsec'. Using 'lo' (ifindex=1).
août 03 15:34:10 T15p charon[94733]: 12[IKE] resolvconf: Failed to set DNS configuration: Could not activate remote peer: activation request failed: unknown unit.
août 03 15:34:10 T15p charon[94733]: 12[IKE] adding DNS server failed

resolvectl dns                                                                                                                                                             
Global: 1.1.1.1 
Link 2 (enp0s31f6):
Link 3 (wlp0s20f3): 1.1.1.1 192.168.1.1 2a02:1210:8406:ab00:a2b5:49ff:fe87:67b0
Link 4 (docker0):
Link 20 (ipsec1):
Link 37 (ipsec0):

however If i start it with the UI ( network manager) it works

resolvectl dns                                                                                                                                                             
Global: 1.1.1.1 
Link 2 (enp0s31f6):
Link 3 (wlp0s20f3): 1.1.1.1 192.168.1.1 2a02:1210:8406:ab00:a2b5:49ff:fe87:67b0
Link 4 (docker0):
Link 20 (ipsec1):
Link 37 (ipsec0): my.dns-server.com

Any idea why ? or how to solve that?