IPSec



  • Using Cisco IPSec for VPN under OS X or iOS, DNS server settings are no longer being handled properly by the client.  This was working properly in 2.1, but in 2.2 something broke.  Oddly, I can see the server settings in the VPN on OS X, but it seems not to send lookups for the domain to the configured DNS server.

    The other odd thing is that with scutil –dns, the search domains are "my.domain.comp", not "my.domain.com".  That's definitely weird.



  • Check the RELEASE notes on the phase2 setting for mobile clients.
    Probably your dns servers are not in the phase2 definition.



  • check /var/etc/ipsec/strongswan.conf for what it's setting. Should be something like:

    # Search domain and default domain
    			28674 = example.com
    			28675 = example.com
    

    The problem with DNS server reachability is probably with Ermal noted, the P2 local network in strongswan is strictly enforced where racoon may not have.



  • Thanks all.  I do have DNS set in phase 2.  It simply does not work.

    See https://forum.pfsense.org/index.php?topic=88226.0 for an identical example with more thorough logs.

    I suspect a possible migration or upgrade issue, but I would need to find the time to do a clean install.


Log in to reply