21.02-RELEASE IPsec Mobile DNS Issues

NogBadTheBad

Just updated to 21.02, anyone else seeing their IPSec mobile clients not resolving DNS ?

IP connectivity is fine and everything worked fine pre update, I'm using framed IP addressing via Radius.

Screenshot 2021-02-17 at 17.23.10.png

Screenshot 2021-02-17 at 17.27.09.png

NogBadTheBad

If I fire up HEnet tools on the iPhone after connecting and do a query after putting in 172.16.0.1 it resolves, I'm wonder if IPsec isn't passing the DNS server.

jimp

What type of mobile IPsec setup is it? IKEv2 EAP-MSCHAPv2? Xauth? Something else?

If you look in /var/etc/ipsec/swanctl.conf at the mobile-pool block, are the DNS servers listed there?

NogBadTheBad

@jimp said in 21.02-RELEASE IPsec Mobile DNS Issues:

What type of mobile IPsec setup is it? IKEv2 EAP-MSCHAPv2? Xauth? Something else?

If you look in /var/etc/ipsec/swanctl.conf at the mobile-pool block, are the DNS servers listed there?

Thanks @jimp

I’ll get back to you with a reply tomorrow when i’m back at home.

NogBadTheBad

@nogbadthebad said in 21.02-RELEASE IPsec Mobile DNS Issues:

mobile-pool

@jimp

IKEv2 EAP-Radius & there is no block with mobile-pool.

I'm using FreeRadius to hand out framed IP addresses.

Attached strongswan.conf & swanctl.conf:-

Archive.zip

log.txt

jimp

Looks like after https://redmine.pfsense.org/issues/8160 it skips the mobile pool config for RADIUS-defined addresses but I'm thinking maybe one of the tests that added can be skipped.

Try applying this change:

diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc
index 2736967988..4636067105 100644
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -1487,10 +1487,6 @@ function ipsec_setup_pools() {
        if (!is_array($a_client) || !isset($a_client['enable'])) {
                return;
        }
-       if (($mobile_ipsec_auth == "eap-radius") && empty($a_client['pool_address']) &&
-           empty($a_client['pool_address_v6'])) {
-               return;
-       }
        $scconf['mobile-pool'] = array();
        $scconf['pools'] = array();
        $pool_common =& $scconf['mobile-pool'];

NogBadTheBad

@jimp said in 21.02-RELEASE IPsec Mobile DNS Issues:

diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc

Would that be via the patch manager or vi ?

jimp

However you want to make the change. Since it's just removing a couple lines, it doesn't need any special technique. Apply the patch or edit the file (vi, Diag > Edit File, scp copy, whatever)

NogBadTheBad

@jimp There are now entries in the mobile pool but lookups don't work after editing /etc/inc/ipsec.inc/

I've restarted the IPSec service and added another server entry.

Screenshot 2021-02-18 at 16.59.57.png

mobile-pool {
dns = 172.16.0.1,172.16.1.1
# Search domain and default domain
28674 = "xxxxxxxxxx.net"
28675 = "xxxxxxxxxx.net"
}

jimp

After applying that change, make sure to stop and then start (not restart) the IPsec daemon to be certain it's loading it fresh/properly.

Also for good measure, from a shell prompt, run swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 and make sure it's not generating any errors when loading that

NogBadTheBad

@jimp said in 21.02-RELEASE IPsec Mobile DNS Issues:

swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1

No luck after a stop & start.

# swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 
loaded certificate from '/var/etc/ipsec/x509/cert-1.crt'
loaded certificate from '/var/etc/ipsec/x509ca/37e450ce.0'
loaded RSA key from '/var/etc/ipsec/private/cert-1.key'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'bypass'
loaded connection 'con-mobile'
successfully loaded 2 connections, 0 unloaded

jimp

OK, so it's not loading it still. Makes sense as it may not have any other part of the configuration referencing it. I don't have any setups like this handy to poke at further, so I opened https://redmine.pfsense.org/issues/11447 to track it further for now.

NogBadTheBad

@jimp Ta Jim, if you need anymore info feel free to ask.

NogBadTheBad

I've found a work around.

Screenshot 2021-02-18 at 18.39.58.png

# swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1
loaded certificate from '/var/etc/ipsec/x509/cert-1.crt'
loaded certificate from '/var/etc/ipsec/x509ca/37e450ce.0'
loaded RSA key from '/var/etc/ipsec/private/cert-1.key'
no authorities found, 0 unloaded
loaded pool 'mobile-pool-v4'
successfully loaded 1 pools, 0 unloaded
loaded connection 'bypass'
loaded connection 'con-mobile'
successfully loaded 2 connections, 0 unloaded
#

jimp

Do your clients still get their addresses from RADIUS?

NogBadTheBad

@jimp yes they do :)

jimp

OK, that should be good then. If a client doesn't have an address defined in RADIUS it will pull from that pool.

I know we added support to let both work at once in 2.5/21.02 but it hasn't seen a lot of real-world testing so far.

I'll try to find some time to setup a test rig for that here and see if I can come up with a way to allow the client settings to be defined without specifying the pool addresses.

costasga

Hi @jimp ! I am having the same problem after upgrading to 2.5. I used the workaround in this post, and mobile pools are loaded but still DNS servers are not pushed to Windows 10 client. It was all working great before the upgrade. Any clues on what to try out next?

viktor_g

@costasga try to apply Patch ID c03a2049b11304f592d0de78aa4bfb568e9a13ae
see https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

costasga

@viktor_g Thanks for the super fast response. Unfortunately no improvement, DNS servers still not pushed. If uncheck the "Provide a virtual IP address to clients" like the above workaround, the mobile pool is not loaded despite the patch.