resolve Plugin

Purpose

The resolve plugin for libcharon writes name servers to resolv.conf. It is enabled by default but may be disabled with the ./configure option

--disable-resolve

Behavior

Name servers received via CP configuration payloads (IKEv2) or via Mode Config (IKEv1) are added to /etc/resolv.conf or installed via resolvconf(8). When the connection goes down name servers are automatically removed again.

Configuration

The resolve plugin is configured using the following options in the charon.plugins.resolve section of strongswan.conf:

Key Default Description

Key	Default	Description
file	[→]	File where name servers are written to if not using `resolvconf(8)` `[/etc/resolv.conf]`
resolvconf.iface	[→]	The interface name and protocol sent to `resolvconf(8)`. This has to be a valid interface name according to the rules defined by `resolvconf`. Also, it should have a high priority according to the order defined in `interface-order(8)` if relevant on the system `[lo.inet]`
resolvconf.path	[→]	Path/command for `resolvconf(8)` (since version 5.9.9). The command is executed by a shell, so `"resolvconf"` will work if it’s in `$PATH` of the daemon. If not configured, `resolvconf(8)` will be used if found at the default location. Otherwise, the file in `charon.plugins.resolve.file` will be modified directly `[/sbin/resolvconf]`

file

[→]

File where name servers are written to if not using resolvconf(8) [/etc/resolv.conf]

resolvconf.iface

[→]

The interface name and protocol sent to resolvconf(8). This has to be a valid interface name according to the rules defined by resolvconf. Also, it should have a high priority according to the order defined in interface-order(8) if relevant on the system [lo.inet]

resolvconf.path

[→]

Path/command for resolvconf(8) (since version 5.9.9). The command is executed by a shell, so "resolvconf" will work if it’s in $PATH of the daemon. If not configured, resolvconf(8) will be used if found at the default location. Otherwise, the file in charon.plugins.resolve.file will be modified directly [/sbin/resolvconf]

Support for resolvconf(8)

strongSwan provides support for installing name servers via the resolvconf framework (or e.g. the implementation provided by systemd’s resolvectl). If resolvconf is found or its path is explicitly configured, the plugin automatically invokes it appropriately instead of modifying resolv.conf directly.

Prior to version 5.9.9, the plugin installed every name server separately and generated unique interface names by adding the IP address of the name server to a prefix (configured in the now removed resolvconf.iface_prefix option). Since version 5.9.9, all name servers are installed and associated with a single, configurable interface/protocol name (resolvconf.iface). If multiple name servers are assigned, resolvconf will be invoked multiple times but each will receive all name servers available at the time.