[2.2] Strong Swan DNS Problems with mobile users

networkninja

btw - here are the logs from my mac connecting to 2.2:

Feb  6 10:48:19 superfly.local racoon[1272]: IKE Packet: receive success. (MODE-Config).
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration started.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.16.90.1.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.16.60.254.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: DEF-DOMAIN = xyz.com.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLITDNS-NAME[0] = xyz.comp.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLIT-INCLUDE.
Feb  6 10:48:19 superfly kernel[0]: utun_ctl_connect: creating interface utun0
Feb  6 10:48:19 superfly kernel[0]: utun0: is now delegating en8 (type 0x6, family 2, sub-family 0)
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Phase2 starting.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration established.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Phase1 established.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration started.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.16.90.1.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.16.60.254.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: DEF-DOMAIN = xyz.com.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLITDNS-NAME[0] = xyz.comp.
Feb  6 10:48:19 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLIT-INCLUDE.
Feb  6 10:48:19 superfly.local configd[26]: network changed.

This is happening even when I have Split DNS unchecked in the GUI.

Here are the logs from a successful 2.1.5 connection in which everything works:

Feb  6 10:53:28 superfly.local racoon[1272]: IKE Packet: receive success. (MODE-Config).
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration started.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.5.0.2.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-DNS = (null).
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: DEF-DOMAIN = (null).
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLITDNS-NAME[0] = (null).
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLIT-INCLUDE.
Feb  6 10:53:28 superfly kernel[0]: utun_ctl_connect: creating interface utun0
Feb  6 10:53:28 superfly kernel[0]: utun0: is now delegating en8 (type 0x6, family 2, sub-family 0)
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Phase2 starting.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration established.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Phase1 established.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration started.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.5.0.2.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: INTERNAL-IP4-DNS = (null).
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: DEF-DOMAIN = (null).
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLITDNS-NAME[0] = (null).
Feb  6 10:53:28 superfly.local nesessionmanager[356]: IPSec Network Configuration: SPLIT-INCLUDE.
Feb  6 10:53:28 superfly.local configd[26]: network changed.

Very strange that when the relevant attributes are (null) the internal DNS server and search domain work fine.

rkuo

I am having the exact same problem.  The upgrade to 2.2 broke DNS and I am seeing the same "p" appended to the domain, which is a bad sign, even tho I can't be sure.

networkninja

Well I guess nobody cares except those that are affected by this…

dwood

I was hung up in the same situation.  I took my first crack at OpenVPN which I got configured, routing and pushing out client install packages in about 15 minutes.  Very slick on both iOS and PC.

doktornotor

@networkninja:

Well I guess nobody cares except those that are affected by this…

What's not reported cannot get fixed => https://redmine.pfsense.org/issues/4418

dstroot

For what it's worth I have asked several times about setting up an IPSEC VPN with a current version of iOS (apple iphone, not Cisco).  I can't get it to work for the life of me but for some reason vpn'ing back in via your iPhone or iPad doesn't seem to get a lot of attention here.  If I could figure it out I'd be happy to create a nice guide with screenshots, etc and hopefully put it up on the Wiki.

I feel OpenVPN (which does work well) is clunky and I would prefer a "built-in" option.

cmb

@doktornotor:

What's not reported cannot get fixed => https://redmine.pfsense.org/issues/4418

Thanks notor, I was already looking into it.

@dstroot:

but for some reason vpn'ing back in via your iPhone or iPad doesn't seem to get a lot of attention here.

Because it works perfectly fine. And there are instructions.
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
though the instructions in the 2.1x book are better in general, and equally applicable to 2.2.

I tend to have to limit my involvement here to things that are quickly addressable, or things indicative of a bug of some sort. We setup mobile IPsec for iOS for support customers all the time, and use it ourselves with iOS and OS X.

eri--

Can you please test the change done for https://redmine.pfsense.org/issues/4418 and report back?

doktornotor

@ermal:

Can you please test the change done for https://redmine.pfsense.org/issues/4418 and report back?

Cannot see any commit there. In general, there seems to be some issue with Redmine showing commits with a significant delay.

EDIT: Finally there, took over 30 minutes  ???

networkninja

Thanks for looking into this!

Garrett

Just found a workaround by appending another bogus domain name in my split-dns list from: "mydomain.com" to "mydomain.com bogus.com". That seemed to do the trick.

cmb

@Garrett:

Just found a workaround by appending another bogus domain name in my split-dns list from: "mydomain.com" to "mydomain.com bogus.com". That seemed to do the trick.

That'll work around it. The root issue, which was a client-side problem, was fixed in OS X El Capitan for sure, and I believe a newer iOS version than this thread originally referenced as well.