Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Mobile Clients are NOT provided with a list of DNS Servers

    IPsec
    2
    2
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SergeCaron
      last edited by

      Greetings!

      In their simplest configuration, mobile IKEv2 tunnels have a single Phase 2 entry representing a split horizon : the remote client maintains local connectivity to its local network (presumably with Internet access) and gains remote access to the network protected by the tunnel.

      When the remote network requires its own DNS server (to resolve workstation.somedomain.local, for example), we need to specify the IP address of that DNS server.

      In the current GUI, this is done in “VPN / IPsec / Mobile Clients” using the option “Provide a DNS server list to clients”. So, if the remote subnet is 192.168.18.0/24 and there is a DNS server at 192.168.18.10 then the GUI entries are correctly configured in “/var/etc/ipsec/strongswan.conf”:

      attr {
                                                    dns = 192.168.18.10
                                                    subnet = 192.168.18.0/24
                                                    split-include = 192.168.18.0/24
                                    }

      However, this does not translate into a ”rightdns” entry in ipsec.conf (as documented in https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection).

      Actual connections with iOS 11.0.3 clients and Windows 10 clients do not result in this DNS being setup in the client configuration.

      The option “Provide a list of accessible networks to clients” works as expected: if multiple Phase 2 entries are declared, both iOS 11.0.3 clients and Windows 10 clients will setup the corresponding routes. (Note: in this configuration, the Phase 2 proposals were set the same for each entry although the GUI allows a mix-and-match of protocols and transforms. I am not going there :)

      I understand that replacing the DNS server(s) of the remote client has implications but this is a choice of the pfSense administrator: if s/he wants to handle the remote DNS requests, so be it.

      This issue seems to arise from the GUI itself rather than a bug in strongSwan.

      Can this be fixed?

      1 Reply Last reply Reply Quote 0
      • S
        solid.NET
        last edited by

        I second that. Even if you specify DNS Servers in MOBILE settings, they do not get added in ipsec.conf.

        RIGHTDNS got implemented in Strongswan 5.0.1.

        How can I add this variable to ipsec.conf?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.