IPsecVPN iPhone no DNS?



  • Hello everyone,

    I've setup a IPsec VPN connection via iPhone. I can browse our LAN but can't establish any connections outside of our LAN like www.google.com. I've set up the VPN like in this thread: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

    Maybe a firewall rule missing?

    IPsec Log:

    Apr 11 13:21:27 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 13:21:19 racoon: INFO: Released port 0
    Apr 11 13:21:19 racoon: [Self]: INFO: ISAKMP-SA deleted 87.139.282.198[4500]-85.159.250.65[7810] spi:ec9da39e19489101:b0f0a48ba2cdd55b
    Apr 11 13:21:19 racoon: INFO: purged ISAKMP-SA spi=ec9da39e19489101:b0f0a48ba2cdd55b:0000940e.
    Apr 11 13:21:19 racoon: INFO: purged IPsec-SA spi=157112552.
    Apr 11 13:21:19 racoon: INFO: purging ISAKMP-SA spi=ec9da39e19489101:b0f0a48ba2cdd55b:0000940e.
    Apr 11 13:21:19 racoon: INFO: purged IPsec-SA proto_id=ESP spi=162785590.
    Apr 11 13:21:19 racoon: INFO: deleting a generated policy.
    Apr 11 13:20:11 racoon: [Self]: INFO: IPsec-SA established: ESP 87.139.282.198[500]->85.159.250.65[500] spi=162785590(0x9b3e936)
    Apr 11 13:20:11 racoon: [Self]: INFO: IPsec-SA established: ESP 87.139.282.198[500]->85.159.250.65[500] spi=157112552(0x95d58e8)
    Apr 11 13:20:11 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Apr 11 13:20:11 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Apr 11 13:20:11 racoon: INFO: no policy found, try to generate the policy : 192.168.1.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Apr 11 13:20:11 racoon: [Self]: INFO: respond new phase 2 negotiation: 87.139.282.198[4500]<=>85.159.250.65[7810]
    Apr 11 13:20:10 racoon: WARNING: Ignored attribute 28683
    Apr 11 13:20:10 racoon: ERROR: Cannot open "/etc/motd"
    Apr 11 13:20:10 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Apr 11 13:20:09 racoon: INFO: login succeeded for user "petre"
    Apr 11 13:20:09 racoon: INFO: Using port 0
    Apr 11 13:20:02 racoon: [Self]: INFO: ISAKMP-SA established 87.139.282.198[4500]-85.159.250.65[7810] spi:ec9da39e19489101:b0f0a48ba2cdd55b
    Apr 11 13:20:02 racoon: INFO: Sending Xauth request
    Apr 11 13:20:02 racoon: INFO: NAT detected: PEER
    Apr 11 13:20:02 racoon: [85.159.250.65] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Apr 11 13:20:02 racoon: INFO: NAT-D payload #1 doesn't match
    Apr 11 13:20:02 racoon: [85.159.250.65] INFO: Hashing 85.159.250.65[7810] with algo #2
    Apr 11 13:20:02 racoon: INFO: NAT-D payload #0 verified
    Apr 11 13:20:02 racoon: [Self]: [87.139.282.198] INFO: Hashing 87.139.282.198[4500] with algo #2
    Apr 11 13:20:02 racoon: [Self]: INFO: NAT-T: ports changed to: 85.159.250.65[7810]<->87.139.282.198[4500]
    Apr 11 13:20:02 racoon: INFO: Adding xauth VID payload.
    Apr 11 13:20:02 racoon: [Self]: [87.139.282.198] INFO: Hashing 87.139.282.198[500] with algo #2
    Apr 11 13:20:02 racoon: [85.159.250.65] INFO: Hashing 85.159.250.65[8863] with algo #2
    Apr 11 13:20:02 racoon: INFO: Adding remote and local NAT-D payloads.
    Apr 11 13:20:02 racoon: [85.159.250.65] INFO: Selected NAT-T version: RFC 3947
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: DPD
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: CISCO-UNITY
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Apr 11 13:20:02 racoon: INFO: received Vendor ID: RFC 3947
    Apr 11 13:20:02 racoon: INFO: begin Aggressive mode.
    Apr 11 13:20:02 racoon: [Self]: INFO: respond new phase 1 negotiation: 87.139.282.198[500]<=>85.159.250.65[8863]

    Hope someone can give me a hint.

    Cheers,
    David







  • Change your IPSEC rule to any, not only TCP. DNS runs via UDP.
    Do you have enabled "Provide a list of accessible networks to clients" and given a DNS-server at your "Mobile clients" section?



  • @szop please be aware that by enabling "Provide a list of accessible networks to clients" you do lose your default route trough your tunnel and all of your traffic apart from the traffic eventually defined in the phase 2 local subnet will NOT be sent trough your tunnel.


Locked