Problem with DNS when connecting to pfSense box using VPN IPSec

marioja · Sep 21, 2016, 3:12 AM

I already looked at the following post and it does not seem to help: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

Here is my setup.

I am using pfSense 2.3.2 (latest). My LAN interface is 10.0.0.2/24. I created a mobile VPN IPSec configuration where I have in Phase 1 an IKEv1 with PSK+Xauth authentication. I am able to create a VPN tunnel from my iPhone or iPad. However I am unable to perform any DNS lookup using the intranet DNS server connected to pfSense from the iPhone or iPad.

In the VPN / IPsec / Mobile Clients page:

I created a virtual address pool 10.3.0.0/24
I checked the Provide a list of accessible networks to clients
I provided a DNS server list to clients with IP 10.0.0.1 and 10.0.0.4

In phase 2 I have mode tunnel IPv4 and local network LAN subnet with no NAT/BINAT translation.

When I attempt to browse with Safari a site on the intranet using a dns name, I see DNS query packets from 10.3.0.1 to DNS server 10.0.0.1 and 10.0.0.4 on the enc0 or IPSec interface but I never see any response. Capturing packets on the LAN interface will not see those packets going to the LAN interface. I added a static route from 10.3.0.0/24 to an added gateway with the LAN ipaddress as per the post cited at the beginning of this post but it makes not difference. If I look at netstat -rn I see the static route added.

The only odd thing is when I run ipsec statusall I noticed that under Security Associations I see the following entry:

10.0.0.0/24|/0 === 10.3.0.1/32|/0

I do not know why it shows up as /32 and not /24 even though the configuration is /24.

At any rate, the DNS is not working and any help would be much appreciated.

marioja · Sep 21, 2016, 3:37 PM

It looks like this https://www.strongswan.org/testing/testresults/ikev1/xauth-id-psk-config/ documents an identical configuration but I checked there and I cannot nail it. The only difference was that leftsubnet is defined in the strongswan example and not in the pfsense. I tried adding it manually with no change in results.

owczi · Sep 22, 2016, 2:29 PM

Are the DNS servers separate DNS servers or is this dnsmasq running on pfSense?

I recently fixed an issue I was having for quite a while where none of my VPN clients and none of vpn spoke hosts could talk to my DNS. I had to switch dnsmasq configuration from "all interfaces", to "strict interface binding", and select the specific interfaces the DNS service should listen to (always loopback, and any other required).

However, this specifically applies to a scenario where the same pfSense runs your DNS and serves VPN clients.

marioja · Sep 22, 2016, 2:48 PM

The DNS servers have IP 10.0.0.1 and 10.0.0.4 and are on the LAN side of pfSense.

marioja · Sep 22, 2016, 8:28 PM

Ok, resolved it.

The IPsec firewall rules setup to allow the traffic excluded UDP protocol. I changed it to be like this:

protocol: IPV4 *
source: 10.3.0.0/24

Also, the static route mentioned previously in my post was not necessary. I did not see the need for it. I believe it was for another issue.

You should also be aware of the following https://redmine.pfsense.org/issues/4418 bug which affects DNS resolving. As a workaround I had to remove the default DNS domain and entered it twice separated by a space in the split DNS field.