2.3.5 DNS Suffix no longer working With Shrewsoft



  • Hello,

    We've just upgraded our in-office firewalls to 2.3.5 and we've found that clients using ShrewsoftVPN no longer have
    a working DNS suffix provided to them.

    I've run the shrewsoft tracetool on the clients and I can see a difference in the attributes that are pulled:

    Working (2.2.6)

    
    18/04/12 16:04:22 ii : received config pull response
    18/04/12 16:04:22 ii : - IP4 Address = 192.168.254.2
    18/04/12 16:04:22 ii : - IP4 DNS Server = 10.3.0.10
    18/04/12 16:04:22 ii : - IP4 DNS Server = 10.3.0.11
    18/04/12 16:04:22 ii : - Unkown VARIABLE 13 = 8 bytes
    18/04/12 16:04:22 ii : - DNS Suffix = ourdomain.internal
    18/04/12 16:04:22 ii : - Split Domain
    18/04/12 16:04:22 ii : - IP4 Split Network Include = ANY:10.3.0.0/24:*
    
    

    Not Working (2.3.5)

    
    18/04/12 16:00:52 ii : received config pull response
    18/04/12 16:00:52 ii : - IP4 Address = 192.168.2545.2
    18/04/12 16:00:52 ii : - IP4 DNS Server = 10.3.0.10
    18/04/12 16:00:52 ii : - IP4 DNS Server = 10.3.0.11
    18/04/12 16:00:52 ii : - IP4 Subnet = ANY:10.3.0.0/24:*
    18/04/12 16:00:52 ii : - Unkown VARIABLE 28676 = 8 bytes
    18/04/12 16:00:52 ii : - Unkown VARIABLE 28674 = 18 bytes
    18/04/12 16:00:52 ii : - Unkown VARIABLE 28675 = 18 bytes
    18/04/12 16:00:52 ii : - Unkown VARIABLE 28673 = 1 bytes
    
    

    I've looked at the config files in /var/etc/ipsec/strongswan.conf between both versions and they both have:

    
            plugins {
                    attr {
                            dns = 10.3.0.10,10.3.0.11
                            subnet = 10.3.0.0/24
                            split-include = 10.3.0.0/24
                            # Search domain and default domain
                            28674 = "ourdomain.internal"
                            28675 = "ourdomain.internal"
                    }
    
    

    This is with the same version of shrewsoft etc, the only difference is the version of PFSense.

    Any thoughts?

    Thanks,
    Rob


Log in to reply