Ubuntu
strongswan package

systemd-resolved updated by network-manager-strongswan needed to restart to use the new dns servers

Bug #1783377 reported by Vin'c
60
This bug affects 10 people
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

Ubuntu 18.04.1 / bionic

systemd:
  Installé : 237-3ubuntu10.3

Fresh install on a VM, was facing a bug when connecting to strongswan ikev2 vpn (https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705)

-> Updated from cosmic the required packages for the VPN that has the bug fixed (5.6.2-2):

network-manager-strongswan:
  Installé : 1.4.4-1
  Candidat : 1.4.4-1
 Table de version :
 *** 1.4.4-1 300
        300 http://archive.ubuntu.com/ubuntu cosmic/universe amd64 Packages
        100 /var/lib/dpkg/status
     1.4.2-2 500
        500 http://fr.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
libcharon-extra-plugins:
  Installé : 5.6.2-2ubuntu1
  Candidat : 5.6.2-2ubuntu1
 Table de version :
 *** 5.6.2-2ubuntu1 300
        300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
     5.6.2-1ubuntu2 500
        500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
libcharon-standard-plugins:
  Installé : 5.6.2-2ubuntu1
  Candidat : 5.6.2-2ubuntu1
 Table de version :
 *** 5.6.2-2ubuntu1 300
        300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
     5.6.2-1ubuntu2 500
        500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
libstrongswan-extra-plugins:
  Installé : 5.6.2-2ubuntu1
  Candidat : 5.6.2-2ubuntu1
 Table de version :
 *** 5.6.2-2ubuntu1 300
        300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
     5.6.2-1ubuntu2 500
        500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
libstrongswan-standard-plugins:
  Installé : 5.6.2-2ubuntu1
  Candidat : 5.6.2-2ubuntu1
 Table de version :
 *** 5.6.2-2ubuntu1 300
        300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status
     5.6.2-1ubuntu2 500
        500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Before connecting the VPN, `systemd-resolve --status` shows :
         DNS Servers: 192.168.1.254 # my home box resolver

After connecting :
         DNS Servers: 10.0.0.254 # DNS resolver provided by the VPN server
                      192.168.1.254 # my home box resolver

This seems OK, but the resolution fails as it is still using the local DNS :
systemd-resolved[270]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

After issuing `systemctl reload-or-restart systemd-resolved.service`, everything seems fine.

systemd-resolved[5651]: Got DNS stub UDP query packet for id 24298
systemd-resolved[5651]: Looking up RR for my.host.inside.vpn IN A.
systemd-resolved[5651]: Switching to DNS server 10.0.0.254 for interface enp0s3.
systemd-resolved[5651]: Cache miss for my.host.inside.vpn IN A
systemd-resolved[5651]: Transaction 9273 for <my.host.inside.vpn IN A> scope dns on enp0s3/*.
systemd-resolved[5651]: Using feature level UDP+EDNS0 for transaction 9273.
systemd-resolved[5651]: Using DNS server 10.0.0.254 for transaction 9273.

I was hoping that `systemd-resolved` could find the new DNS without restarting its service after connecting to the VPN.

Thanks for reading
Best Regards,
Vincent

See original description
Vin'c (g4-u3uxtu-lr)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
Vin'c (g4-u3uxtu-lr) wrote :

A small script to do the job :

* install 18.10 repository with lower pin priority
* install a hook that restarts "systemd-resolved" on "vpn-pre-up" action

Revision history for this message
Peter Beurle (beurle) wrote :

Seems like its still a problem in Ubuntu 20.04.1 / focal

Revision history for this message
Tero Gusto (tero-gusto) wrote :

I can confirm this in 20.04.1:

Oct 23 17:29:00 comp systemd-resolved[753]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Oct 23 17:29:00 comp systemd-resolved[753]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

Revision history for this message
Peter Beurle (beurle) wrote :

This might provide some relief;

https://wiki.strongswan.org/projects/strongswan/repository/revisions/44e5e8367691dd64f4e5ba0105fdc28b1f81ff25

Revision history for this message
Vin'c (g4-u3uxtu-lr) wrote :

I would add

https://wiki.strongswan.org/issues/3615

- Local workaround with a script triggered in `pre-up` stage to restart service
- Explanation of upstream workaround (see previous comment/commit) that uses a dummy TUN device

---
Also the workaround we use at the moment (choose from this one or the script from [strongswan#3615](https://wiki.strongswan.org/issues/3615)) :
use `network-manager` (static) instead of `systemd-resolved`

     sudo systemctl disable systemd-resolved.service
     sudo systemctl stop systemd-resolved

Put `dns=default` in the `[main]` section of your `/etc/NetworkManager/NetworkManager.conf`:

    [main]
    dns=default

Delete the symlink /etc/resolv.conf

    rm /etc/resolv.conf

Restart network-manager

    sudo service network-manager restart

Revision history for this message
Peter Beurle (beurle) wrote :

This became an issue in Fedora 33 when they went to systemd-resolved. They have just packaged and updated to strongsWan 5.9.2 and I can confirm it resolves this issue without workarounds.

This is a VPN, surely for security reasons alone we should be getting the latest packages as updates? This affects every version of Ubuntu 18 / Bionic as the latest I can find is 5.9.1

I would appreciate any hints on how to ask for something to be done...

Revision history for this message
Nick Rosbrook (enr0n) wrote :

Since it sounds like the resolution was in a newer version of strongswan, I am re-assigning to that package.

affects: systemd (Ubuntu) → strongswan (Ubuntu)
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

This could be a duplicate of https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705 which has been included in Bionic since 5.6.2-1ubuntu2.5.

Since the issue is reported fixed in 5.6.2-2, and broken in 5.6.2-1, the debian delta is

  * charon-nm: Fix building list of DNS/MDNS servers with libnm
  * d/control: drop b-d on n-m-dev and make libnm-dev linux-any
    (closes: #895434)
  * d/compat bumped to 10
  * d/rules: drop parallel and autoreconf from dh, done with compat 10

The only likely fix is
  * charon-nm: Fix building list of DNS/MDNS servers with libnm

Which is already included in bionic from the bug I linked.

I'm setting this bug to incomplete for more information. If this bug still affects you, please let me know and I will change to confirmed.

Changed in strongswan (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.