[SOLVED] cross platform IKEv2 VPN - no DNS on Linux/Mac/IOS



  • Hi there,
    I am trying to setup pfSense IKEv2 IPSec VPN for different client OSes - Windows 8/10, Linux, OS X and IOS.
    After some struggle and using a little bit of imagination, I have managed to connect from all platforms. Windows works fine, but Linux/Mac/IOS client is a problem.

    Surprisingly, Windows 8/10 is the best as it does not care about server identifier in IPSec phase one.
    It can be distinguished name (DNS that is), or IP address or even ASN.1 name - all cases work. Also, DNS works for client after connection is established.

    But DNS is not working for all non-Windows clients.
    It seems I am not alone with this problem:
    https://forum.pfsense.org/index.php?topic=88767.msg492063#msg492063
    https://forum.pfsense.org/index.php?topic=106433.msg593943#msg593943

    Has anyone got DNS working with IPSec IKEv2?

    Thanks!
    shpokas

    upd.: attached a couple of pfsense configuration screenshots for reference
    upd.: scutil –dns output on OS X 10.11.3 client. Note, IPSec server supplied DNS server (192.168.17.4) is listed, but doesn't work.

    macclient:~ shpokas$ scutil --dns
    DNS configuration
    
    resolver #1
      search domain[0] : remoteclientlan.domain
      nameserver[0] : 10.67.20.3
      nameserver[1] : 10.67.20.49
      nameserver[2] : 2001:470:dd85::1
      if_index : 12 (en5)
      flags    : Request A records, Request AAAA records
    Reachable, Directly Reachable Address
    
    resolver #2
      domain   : xxxxxxxx.members.btmm.icloud.com
      options  : pdns
      timeout  : 5
      flags    : Request A records, Request AAAA records
    Not Reachable
      order    : 150000
    
    resolver #3
      domain   : local
      options  : mdns
      timeout  : 5
      flags    : Request A records, Request AAAA records
    Not Reachable
      order    : 300000
    
    resolver #4
      domain   : 254.169.in-addr.arpa
      options  : mdns
      timeout  : 5
      flags    : Request A records, Request AAAA records
    Not Reachable
      order    : 300200
    
    resolver #5
      domain   : 8.e.f.ip6.arpa
      options  : mdns
      timeout  : 5
      flags    : Request A records, Request AAAA records
    Not Reachable
      order    : 300400
    
    resolver #6
      domain   : 9.e.f.ip6.arpa
      options  : mdns
      timeout  : 5
      flags    : Request A records, Request AAAA records
    Not Reachable
      order    : 300600
    
    resolver #7
      domain   : a.e.f.ip6.arpa
      options  : mdns
      timeout  : 5
      flags    : Request A records, Request AAAA records
    Not Reachable
      order    : 300800
    
    resolver #8
      domain   : b.e.f.ip6.arpa
      options  : mdns
      timeout  : 5
      flags    : Request A records, Request AAAA records
    Not Reachable
      order    : 301000
    
    DNS configuration (for scoped queries)
    
    resolver #1
      search domain[0] : remoteclientlan.domain
      nameserver[0] : 10.67.20.3
      nameserver[1] : 10.67.20.49
      nameserver[2] : 2001:470:dd85::1
      if_index : 12 (en5)
      flags    : Scoped, Request A records, Request AAAA records
    Reachable, Directly Reachable Address
    
    resolver #2
      search domain[0] : ipsec.domain
      nameserver[0] : 192.168.17.4
      if_index : 15 (ipsec0)
      flags    : Scoped, Request A records
    Reachable, Transient Connection, Connection Required, Automatic Connection On Demand
    
    macclient:~ shpokas$ host somehost.ipsec.domain
    Host somehost.ipsec.domain not found: 3(NXDOMAIN)
    
    macclient:~ shpokas$ host somehost.ipsec.domain 192.168.17.4
    Using domain server:
    Name: 192.168.17.4
    Address: 192.168.17.4#53
    Aliases: 
    
    somehost.ipsec.domain has address 192.168.17.4
    ```![mobile-clients.PNG](/public/_imported_attachments_/1/mobile-clients.PNG)
    ![mobile-clients.PNG_thumb](/public/_imported_attachments_/1/mobile-clients.PNG_thumb)
    ![phase1.PNG](/public/_imported_attachments_/1/phase1.PNG)
    ![phase1.PNG_thumb](/public/_imported_attachments_/1/phase1.PNG_thumb)

  • Rebel Alliance Developer Netgate

    Because you passed it a domain name in your mobile settings, it assumes you only want the clients to use the specified DNS server for the name you set (split DNS). Clear the domain name from the mobile tab and it's likely to work.



  • Hmm, I believe my configuration is correct because I do use split DNS.

    shpokas@shpokas-u15-vb:~$ host www.company.com
    www.company.com has address xx.yy.ww.zz
    shpokas@shpokas-u15-vb:~$ host www.company.com 192.168.17.4
    Using domain server:
    Name: 192.168.17.4
    Address: 192.168.17.4#53
    Aliases: 
    
    www.company.com has address 192.168.17.5
    shpokas@shpokas-u15-vb:~$ 
    
    

    somehost.ipsec.domain resolves differently from LAN ("inside") and from internet ("outside").
    Also, why my setup works with Windows, but does not with Linux/Mac?
    I may speculate that both Linux and Mac use some fork of Strongswan whereas Windows has it's own IPSec implementation.

    Anyway, is there anyone who has DNS running OK with Linux or Mac IPSec clients?


  • Rebel Alliance Developer Netgate

    Yeah I have it running on my Mac. If you have it set your way it should only query the supplied DNS server for the domain you set. If you want the clients to use that server for all DNS, try omitting any default domain or split DNS settings and see what happens. Don't dismiss the suggestion – it's just a couple clicks to confirm it.

    Windows may use it for all queries because it's not doing what you are telling it to do. In typical Windows fashion. :-)

    The Mac is, as you show, getting the server, and the Mac has decided to place it lower on the resolver list because of the way the IPsec tunnel was configured. There may be a way to work around that on the Mac though, but just try toggling the other setting to see what it does.



  • I fixed the DNS issue on OS X and IOS by using Apple Configurator to create VPN profile and manually adding DNS section in it.
    Here's how to do it: https://lists.strongswan.org/pipermail/users/2015-October/008842.html

    And don't let host command fool you, everything else works, except host command.

    For Ubuntu 15, you have to add DNS server and domain manually to configuration on each client.

    For Fedora 22/23 you have to patch Gnome NetworkManager UI  ::) even to get proper configuration dialog (and then have to add DNS anyway)
    Same bug across all Linux distros, but nobody cares about Fedora in particular
    https://bugzilla.opensuse.org/show_bug.cgi?id=944769
    https://bugs.launchpad.net/ubuntu/+source/network-manager-strongswan/+bug/1448879

    AND THEN you still have to mess around with SELinux quite a bit before you have working VPN. allow2audit is your friend here.



  • I had a similar problem with the IKEv2 IPSEC vpn and I am not using split DNS.

    Using these directions: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 I was able to get a working connection.

    At this point, Windows clients worked without problem, but the iOS and OSX clients could not resolve the internal vpn hosts correctly.

    Windows clients were showing the correct DNS servers and search domain configured in my mobile clients settings, but the iOS and OSX clients were showing the normal network DNS, e.g. they were not picking up the VPN dns servers and search domain settings.

    On a hunch, I disabled "Provide a list of accessible networks to clients" under Client Configuration, Network List in Mobile Clients and applied the changes.

    Now, my iOS and OSX clients router all traffic through the vpn and it they pick up the DNS servers and search domains from the VPN server.

    Just throwing this out there for anyone else having this problem.



  • @shpokas:

    I fixed the DNS issue on OS X and IOS by using Apple Configurator to create VPN profile and manually adding DNS section in it.
    Here's how to do it: https://lists.strongswan.org/pipermail/users/2015-October/008842.html

    This is definitely the key for split DNS with macOS and iOS!  More details can be found in Apple's Configuration Profile Reference https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW612
    Look for the DNS Dictionary Keys section and it explains the use of SupplementalMatchDomains to control spilt DNS.  Not sure why this isn't available from the Configuration GUI, but… there you go.


Log in to reply