IPSec Roadwarrior - DNS naming resolves only when ipfire local subnet is set to


I’ve setup IPSec VPN with PSK on ipfire v154 and the main problem is that connected roadwarrior clients only resolves DNS naming when IPSec’s Local Subnet is set to

And setting it to all the Roadwarrior’s traffic is routed through our Office’s ipfire-firewall…

I would prefer to have split-tunneling but if I set IPSec’s Local Subnet to: then I can’t ping any host with domain *.office.local

Here are my settings:
Green network:
DHCP-Server is up with domain: office.local on

Host-to-Net Virtual Private Network (RoadWarrior):
IPSec Local Subnet:

I’ve tried also in


to set


but it doesn’t resolve any DNS naming.

Split-Tunneling works for OpenVPN Roadwarriors though…

I’m wondering if split-tunneling for IPSec is possible on ipfire ? Or are there any restrictions on ipfire ?



Split tunneling is possible, though it’s more of a challenge for different clients. You don’t specify what OS you are using, but in Windows, one can go to the adapter and edit the advanced options under the IPV4 settings, Uncheck the box to use the default gateway on the remote side. That enables split tunneling.

Also, you can use PowerShell set-vpnconnection to enable Split Tunneling.

 set-vpnconnection -name "My VPN Connection Name" -splittunneling $true

Thanks for looking at this.
Well mainly iOS or macOS clients which I think is not possible to alter its configuration files…

If you use a configuration profile, it’s possible to control many more parameters, but DNS and split tunneling are a challenge for Apple clients, I think.

hi !
i checked with actual version (on a mobile phone with PSK auth which is the only working config for me)
and its still like you write here… using all is still ok, but when you want to route only traffiy to your local net via VPN (e.g. DNS is broken for any reason…

Ciao Gerd

@goerdi Maybe this thread can give you some insight. IPSec on macOS and split tunneling

Hi !
I guess no… only thing which is running actual is android PSK… Windows with certs is far away… as described in above Problems…

So have you actually edit the file /etc/strongswan.d/charon/attr.conf (via ssh connection on your firewall), as described in the thread “IPSec on macOS and split tunneling” ?
This should also work on Android.

1 Like

Hi !

Negativ… it still does not work…

To use dns through the tunnel you have to configure as additional dns server. Most IPSec clients does not do this.