Name resolution for IPSec mobile clients using split horizon configuration
-
macOS (Monterey Version 12.0.1) and iOS (Version 15.3.1) do not resolve FQDN internal hostnames unlike other VPN clients (Windows 10, Android R12, etc.).
“Split horizon” (or “Split-tunnel” as defined in RFC 8598: Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2) (rfc-editor.org) configurations implies that “Split-DNS” (RFC 2775: Internet Transparency (rfc-editor.org)) IP addresses must be supplied to the remote client when a mobile tunnel is created.
In IKEv2, this is done through “Configuration Payload Attribute Type” INTERNAL_DNS_DOMAIN (value 25, see Internet Key Exchange Version 2 (IKEv2) Parameters (iana.org), https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-21 ).
In IKEv1, this is done through “Cisco Unity extensions Attribute Type” UNITY_SPLITDNS_NAME since strongSwan version 5.0.1 (value 28675, see attr plugin - strongSwan).
The strongSwan configuration file (/var/etc/ipsec/strongswan.conf) does not define the “modern” payload attributes. A typical configuration for an IKEv2 only mobile tunnel contains only the older Cisco Unity extensions:
plugins { # Load defaults include /var/etc/ipsec/strongswan.d/charon/*.conf unity { load = no } curve25519 { load = yes } xauth-generic { script = /etc/inc/ipsec.auth-user.php authcfg = Local Database } attr { dns = 192.168.123.123,192.168.123,241 subnet = 192.168.123.0/24,192.168.66.0/24 split-include = 192.168.123.0/24,192.168.66.0/24 # Search domain and default domain 27674 = "example.com" # Split DNS 28675 = "example.com" } }
It is unclear what parameter UNITY_DEF_DOMAIN (value 27674) should be set to in an IKEv2 only mobile tunnel: there is no direct equivalent, according to IANA definitions.
Can the “modern” payload attributes be added to satisfy newer operationg system releases (macOS, iOS, Android r12, etc…) ? As in:
[ … ] # Search domain and default domain 27674 = "example.com" # Split DNS 28675 = "example.com" 25 = "example.com" [ … ]
This is merely a cosmetic change that would not impact "compatible" clients and would make life so much easier for “Out-Of-Box” experiences.
Regards,
-
@sergecaron This issue is reported as #7773 IPSec using IKEv2 with split DNS not using provided domain names and is opened since August 2017.
This is what an iOS client currently receives in pfSense 2.6.0:
08[IKE] <con-mobile|60> IKE_SA con-mobile[60] state change: CONNECTING => ESTABLISHED 08[IKE] <con-mobile|60> scheduling rekeying in 25549s 08[IKE] <con-mobile|60> maximum IKE_SA lifetime 28429s 08[IKE] <con-mobile|60> peer requested virtual IP %any 08[CFG] <con-mobile|60> reassigning offline lease to 'RemoteUser' 08[IKE] <con-mobile|60> assigning virtual IP 192.168.233.241 to peer 'RemoteUser' 08[IKE] <con-mobile|60> peer requested virtual IP %any6 08[IKE] <con-mobile|60> no virtual IP found for %any6 requested by 'RemoteUser' 08[IKE] <con-mobile|60> building INTERNAL_IP4_DNS attribute 08[IKE] <con-mobile|60> building INTERNAL_IP4_DNS attribute 08[IKE] <con-mobile|60> building INTERNAL_IP4_SUBNET attribute 08[IKE] <con-mobile|60> building INTERNAL_IP4_SUBNET attribute 08[IKE] <con-mobile|60> building (27674) attribute 08[IKE] <con-mobile|60> building UNITY_SPLITDNS_NAME attribute 08[CFG] <con-mobile|60> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ 08[IKE] <con-mobile|60> CHILD_SA con-mobile{6} established with SPIs cf1aed7d_i 053643d4_o and TS 192.168.18.0/24|/0 192.168.166.0/24|/0 === 192.168.233.241/32|/0 08[ENC] <con-mobile|60> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS SUBNET SUBNET (27674) U_SPLITDNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
The 27674 and UNITY_SPLITDNS_NAME attributes are not defined in IKEv2.
This client will never process interal DNS servers.
Is it time to fix this ?
Regards,