21.02-RELEASE IPsec Mobile DNS Issues
-
Just updated to 21.02, anyone else seeing their IPSec mobile clients not resolving DNS ?
IP connectivity is fine and everything worked fine pre update, I'm using framed IP addressing via Radius.
-
If I fire up HEnet tools on the iPhone after connecting and do a query after putting in 172.16.0.1 it resolves, I'm wonder if IPsec isn't passing the DNS server.
-
What type of mobile IPsec setup is it? IKEv2 EAP-MSCHAPv2? Xauth? Something else?
If you look in
/var/etc/ipsec/swanctl.conf
at themobile-pool
block, are the DNS servers listed there? -
@jimp said in 21.02-RELEASE IPsec Mobile DNS Issues:
What type of mobile IPsec setup is it? IKEv2 EAP-MSCHAPv2? Xauth? Something else?
If you look in
/var/etc/ipsec/swanctl.conf
at themobile-pool
block, are the DNS servers listed there?Thanks @jimp
Iโll get back to you with a reply tomorrow when iโm back at home.
-
@nogbadthebad said in 21.02-RELEASE IPsec Mobile DNS Issues:
mobile-pool
IKEv2 EAP-Radius & there is no block with mobile-pool.
I'm using FreeRadius to hand out framed IP addresses.
Attached strongswan.conf & swanctl.conf:-
-
Looks like after https://redmine.pfsense.org/issues/8160 it skips the mobile pool config for RADIUS-defined addresses but I'm thinking maybe one of the tests that added can be skipped.
Try applying this change:
diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index 2736967988..4636067105 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -1487,10 +1487,6 @@ function ipsec_setup_pools() { if (!is_array($a_client) || !isset($a_client['enable'])) { return; } - if (($mobile_ipsec_auth == "eap-radius") && empty($a_client['pool_address']) && - empty($a_client['pool_address_v6'])) { - return; - } $scconf['mobile-pool'] = array(); $scconf['pools'] = array(); $pool_common =& $scconf['mobile-pool'];
-
@jimp said in 21.02-RELEASE IPsec Mobile DNS Issues:
diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc
Would that be via the patch manager or vi ?
-
However you want to make the change. Since it's just removing a couple lines, it doesn't need any special technique. Apply the patch or edit the file (vi, Diag > Edit File, scp copy, whatever)
-
@jimp There are now entries in the mobile pool but lookups don't work after editing /etc/inc/ipsec.inc/
I've restarted the IPSec service and added another server entry.
mobile-pool {
dns = 172.16.0.1,172.16.1.1
# Search domain and default domain
28674 = "xxxxxxxxxx.net"
28675 = "xxxxxxxxxx.net"
} -
After applying that change, make sure to stop and then start (not restart) the IPsec daemon to be certain it's loading it fresh/properly.
Also for good measure, from a shell prompt, run
swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1
and make sure it's not generating any errors when loading that -
@jimp said in 21.02-RELEASE IPsec Mobile DNS Issues:
swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1
No luck after a stop & start.
# swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 loaded certificate from '/var/etc/ipsec/x509/cert-1.crt' loaded certificate from '/var/etc/ipsec/x509ca/37e450ce.0' loaded RSA key from '/var/etc/ipsec/private/cert-1.key' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'bypass' loaded connection 'con-mobile' successfully loaded 2 connections, 0 unloaded
-
OK, so it's not loading it still. Makes sense as it may not have any other part of the configuration referencing it. I don't have any setups like this handy to poke at further, so I opened https://redmine.pfsense.org/issues/11447 to track it further for now.
-
@jimp Ta Jim, if you need anymore info feel free to ask.
-
I've found a work around.
# swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 loaded certificate from '/var/etc/ipsec/x509/cert-1.crt' loaded certificate from '/var/etc/ipsec/x509ca/37e450ce.0' loaded RSA key from '/var/etc/ipsec/private/cert-1.key' no authorities found, 0 unloaded loaded pool 'mobile-pool-v4' successfully loaded 1 pools, 0 unloaded loaded connection 'bypass' loaded connection 'con-mobile' successfully loaded 2 connections, 0 unloaded #
-
Do your clients still get their addresses from RADIUS?
-
@jimp yes they do :)
-
OK, that should be good then. If a client doesn't have an address defined in RADIUS it will pull from that pool.
I know we added support to let both work at once in 2.5/21.02 but it hasn't seen a lot of real-world testing so far.
I'll try to find some time to setup a test rig for that here and see if I can come up with a way to allow the client settings to be defined without specifying the pool addresses.
-
Hi @jimp ! I am having the same problem after upgrading to 2.5. I used the workaround in this post, and mobile pools are loaded but still DNS servers are not pushed to Windows 10 client. It was all working great before the upgrade. Any clues on what to try out next?
-
@costasga try to apply Patch ID c03a2049b11304f592d0de78aa4bfb568e9a13ae
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html -
@viktor_g Thanks for the super fast response. Unfortunately no improvement, DNS servers still not pushed. If uncheck the "Provide a virtual IP address to clients" like the above workaround, the mobile pool is not loaded despite the patch.