@sergecaron This issue is reported as #7773 IPSec using IKEv2 with split DNS not using provided domain names and is opened since August 2017.

This is what an iOS client currently receives in pfSense 2.6.0:

08[IKE] <con-mobile|60> IKE_SA con-mobile[60] state change: CONNECTING => ESTABLISHED 08[IKE] <con-mobile|60> scheduling rekeying in 25549s 08[IKE] <con-mobile|60> maximum IKE_SA lifetime 28429s 08[IKE] <con-mobile|60> peer requested virtual IP %any 08[CFG] <con-mobile|60> reassigning offline lease to 'RemoteUser' 08[IKE] <con-mobile|60> assigning virtual IP 192.168.233.241 to peer 'RemoteUser' 08[IKE] <con-mobile|60> peer requested virtual IP %any6 08[IKE] <con-mobile|60> no virtual IP found for %any6 requested by 'RemoteUser' 08[IKE] <con-mobile|60> building INTERNAL_IP4_DNS attribute 08[IKE] <con-mobile|60> building INTERNAL_IP4_DNS attribute 08[IKE] <con-mobile|60> building INTERNAL_IP4_SUBNET attribute 08[IKE] <con-mobile|60> building INTERNAL_IP4_SUBNET attribute 08[IKE] <con-mobile|60> building (27674) attribute 08[IKE] <con-mobile|60> building UNITY_SPLITDNS_NAME attribute 08[CFG] <con-mobile|60> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ 08[IKE] <con-mobile|60> CHILD_SA con-mobile{6} established with SPIs cf1aed7d_i 053643d4_o and TS 192.168.18.0/24|/0 192.168.166.0/24|/0 === 192.168.233.241/32|/0 08[ENC] <con-mobile|60> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS SUBNET SUBNET (27674) U_SPLITDNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]

The 27674 and UNITY_SPLITDNS_NAME attributes are not defined in IKEv2.

This client will never process interal DNS servers.

Is it time to fix this ?

Regards,

@jimp

Thanks. This make sense... I can confirm: IOS 15.3.1 (both IPHONE and IPAD PRO) failed badly. I was hoping to use the Mobile Client for 0.0.0.0/0. I can still use the LAN access. Really appreciate the note so I can stop digging.

While it may be unexpected for you, it's doing what it was told to do. Namely, it picked a default gateway automatically. It's safest to ship with that on automatic as it ensures the most likely path to success initially. Once you add more interfaces with gateways it's not so simple, though. It's easy enough to change the default gateway to a specific entry (or a gateway group expressing your automatic failover preference).

I thought we had a warning in the docs but I don't see one now. I'm probably thinking of WireGuard which does have a warning.

I'll look into adding a similar note to the VTI docs.

@daboomer without knowing how much data, the type of CPU, internet connection, other side CPU, internet connection, consistency of data, etc...

The only thing we can say is it will increase CPU load.

I consistently push 25Mbps to a datacenter over fiber about 6 miles away... but adding more P2s doesn't change my throughput at all on my 5100 on 1GbE

@rodfcabral same here - been met with silence from pfsense

@viragomann I'm going to test, if there was an working ipsec client to client in the mikrotik, is that seems a good initiatives. thanks a lot

@fifty_bellies
You can do this by entering the desired translation network in the phase 2 at "NAT/BINAT translation".

However, consider that on the remote site you have also to replace the remote network with the NAT network.

@jimp Thanks for your input!

I just activated this option and see if it resolves the issue.

Is it best to activate it only on the initiating pfsense or on both sites?

Well according to this documentation NHRP via FRR is not available for FreeBSD. 😞

http://docs.frrouting.org/en/latest/overview.html#feature-matrix

Can anyone shed some light on this?

I'm experiencing exactly the same issue