IPSec Mobile Clients are NOT provided with a list of DNS Servers
SergeCaron last edited by
In their simplest configuration, mobile IKEv2 tunnels have a single Phase 2 entry representing a split horizon : the remote client maintains local connectivity to its local network (presumably with Internet access) and gains remote access to the network protected by the tunnel.
When the remote network requires its own DNS server (to resolve workstation.somedomain.local, for example), we need to specify the IP address of that DNS server.
In the current GUI, this is done in “VPN / IPsec / Mobile Clients” using the option “Provide a DNS server list to clients”. So, if the remote subnet is 192.168.18.0/24 and there is a DNS server at 192.168.18.10 then the GUI entries are correctly configured in “/var/etc/ipsec/strongswan.conf”:
dns = 192.168.18.10
subnet = 192.168.18.0/24
split-include = 192.168.18.0/24
However, this does not translate into a ”rightdns” entry in ipsec.conf (as documented in https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection).
Actual connections with iOS 11.0.3 clients and Windows 10 clients do not result in this DNS being setup in the client configuration.
The option “Provide a list of accessible networks to clients” works as expected: if multiple Phase 2 entries are declared, both iOS 11.0.3 clients and Windows 10 clients will setup the corresponding routes. (Note: in this configuration, the Phase 2 proposals were set the same for each entry although the GUI allows a mix-and-match of protocols and transforms. I am not going there :)
I understand that replacing the DNS server(s) of the remote client has implications but this is a choice of the pfSense administrator: if s/he wants to handle the remote DNS requests, so be it.
This issue seems to arise from the GUI itself rather than a bug in strongSwan.
Can this be fixed?
I second that. Even if you specify DNS Servers in MOBILE settings, they do not get added in ipsec.conf.
RIGHTDNS got implemented in Strongswan 5.0.1.
How can I add this variable to ipsec.conf?