IPsec + iOS and DNS Issues

broknbottle

I've configured IPsec per this guide, http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 I am having trouble getting my iPhone and iPad to resolve hostnames.  I can connect to my NAS etc using the local IP address but any attempt to use the hostname causes it to fail.  On my pfSense box I have DNS forwarder enabled and under mobile clients I have provide a DNS server checked and the IP address of my pfSense box first in the list.   I've been pulling my hair out trying to figure this out.

azzido

Did you provide LAN IP as a DNS server in the VPN setup? Try setting it to an external DNS server such as 4.2.2.2 and check if that makes any difference.

broknbottle

I have the checkbox next to 'Provide a DNS server list to clients' checked and the first DNS I have listed is my pfSense box LAN IP address.  When I connect with my notebook - OS X - Cisco IPsec using the credentials I've set up for my iPhone, if I look under DNS it has my firewall listed and under domains it has .priv my domain listed.  My notebook is also not able to resolve hostname when connected via IPsec.  Both my phone and notebook can browse the web (IP & Hostname) and connect to devices on my network (via IP address NOT hostname). I've also connected to the VPN and changed my DNS to my pfSense LAN IP and I am able to browse the web and when I attempt to ping devices on home network it's resolving somewhat, no response but I see firewall (10.10.72.1) or nas (10.10.72.7) but like I said no response via ping.

I am currently connected and off site, here is my dns per scutil –dns

DNS configuration

resolver #1
 search domain[0] : site.stayonline.net
 nameserver[0] : 4.2.2.2
 nameserver[1] : 12.127.16.68
 nameserver[2] : 12.127.16.67

resolver #2
 domain   : local
 options  : mdns
 timeout  : 5
 order    : 300000

resolver #3
 domain   : 254.169.in-addr.arpa
 options  : mdns
 timeout  : 5
 order    : 300200

resolver #4
 domain   : 8.e.f.ip6.arpa
 options  : mdns
 timeout  : 5
 order    : 300400

resolver #5
 domain   : 9.e.f.ip6.arpa
 options  : mdns
 timeout  : 5
 order    : 300600

resolver #6
 domain   : a.e.f.ip6.arpa
 options  : mdns
 timeout  : 5
 order    : 300800

resolver #7
 domain   : b.e.f.ip6.arpa
 options  : mdns
 timeout  : 5
 order    : 301000

DNS configuration (for scoped queries)

resolver #1
 search domain[0] : site.stayonline.net
 nameserver[0] : 4.2.2.2
 nameserver[1] : 12.127.16.68
 nameserver[2] : 12.127.16.67
 if_index : 7 (en0)
 flags    : Scoped

resolver #2
 search domain[0] : priv
 nameserver[0] : 10.10.72.1
 if_index : 8 (utun0)
 flags    : Scoped

broknbottle

I resolved the issue by adding a floating rule to allow IPsec to LAN subnet.

eniot

it's works for me too but what is this floating rule ?

thanks