[SOLVED] cross platform IKEv2 VPN - no DNS on Linux/Mac/IOS
-
Hi there,
I am trying to setup pfSense IKEv2 IPSec VPN for different client OSes - Windows 8/10, Linux, OS X and IOS.
After some struggle and using a little bit of imagination, I have managed to connect from all platforms. Windows works fine, but Linux/Mac/IOS client is a problem.Surprisingly, Windows 8/10 is the best as it does not care about server identifier in IPSec phase one.
It can be distinguished name (DNS that is), or IP address or even ASN.1 name - all cases work. Also, DNS works for client after connection is established.But DNS is not working for all non-Windows clients.
It seems I am not alone with this problem:
https://forum.pfsense.org/index.php?topic=88767.msg492063#msg492063
https://forum.pfsense.org/index.php?topic=106433.msg593943#msg593943Has anyone got DNS working with IPSec IKEv2?
Thanks!
shpokasupd.: attached a couple of pfsense configuration screenshots for reference
upd.: scutil –dns output on OS X 10.11.3 client. Note, IPSec server supplied DNS server (192.168.17.4) is listed, but doesn't work.macclient:~ shpokas$ scutil --dns DNS configuration resolver #1 search domain[0] : remoteclientlan.domain nameserver[0] : 10.67.20.3 nameserver[1] : 10.67.20.49 nameserver[2] : 2001:470:dd85::1 if_index : 12 (en5) flags : Request A records, Request AAAA records Reachable, Directly Reachable Address resolver #2 domain : xxxxxxxx.members.btmm.icloud.com options : pdns timeout : 5 flags : Request A records, Request AAAA records Not Reachable order : 150000 resolver #3 domain : local options : mdns timeout : 5 flags : Request A records, Request AAAA records Not Reachable order : 300000 resolver #4 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records Not Reachable order : 300200 resolver #5 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records Not Reachable order : 300400 resolver #6 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records Not Reachable order : 300600 resolver #7 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records Not Reachable order : 300800 resolver #8 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records Not Reachable order : 301000 DNS configuration (for scoped queries) resolver #1 search domain[0] : remoteclientlan.domain nameserver[0] : 10.67.20.3 nameserver[1] : 10.67.20.49 nameserver[2] : 2001:470:dd85::1 if_index : 12 (en5) flags : Scoped, Request A records, Request AAAA records Reachable, Directly Reachable Address resolver #2 search domain[0] : ipsec.domain nameserver[0] : 192.168.17.4 if_index : 15 (ipsec0) flags : Scoped, Request A records Reachable, Transient Connection, Connection Required, Automatic Connection On Demandmacclient:~ shpokas$ host somehost.ipsec.domain Host somehost.ipsec.domain not found: 3(NXDOMAIN) macclient:~ shpokas$ host somehost.ipsec.domain 192.168.17.4 Using domain server: Name: 192.168.17.4 Address: 192.168.17.4#53 Aliases: somehost.ipsec.domain has address 192.168.17.4 ```    -
Because you passed it a domain name in your mobile settings, it assumes you only want the clients to use the specified DNS server for the name you set (split DNS). Clear the domain name from the mobile tab and it's likely to work.
-
Hmm, I believe my configuration is correct because I do use split DNS.
shpokas@shpokas-u15-vb:~$ host www.company.com www.company.com has address xx.yy.ww.zz shpokas@shpokas-u15-vb:~$ host www.company.com 192.168.17.4 Using domain server: Name: 192.168.17.4 Address: 192.168.17.4#53 Aliases: www.company.com has address 192.168.17.5 shpokas@shpokas-u15-vb:~$somehost.ipsec.domain resolves differently from LAN ("inside") and from internet ("outside").
Also, why my setup works with Windows, but does not with Linux/Mac?
I may speculate that both Linux and Mac use some fork of Strongswan whereas Windows has it's own IPSec implementation.Anyway, is there anyone who has DNS running OK with Linux or Mac IPSec clients?
-
Yeah I have it running on my Mac. If you have it set your way it should only query the supplied DNS server for the domain you set. If you want the clients to use that server for all DNS, try omitting any default domain or split DNS settings and see what happens. Don't dismiss the suggestion – it's just a couple clicks to confirm it.
Windows may use it for all queries because it's not doing what you are telling it to do. In typical Windows fashion. :-)
The Mac is, as you show, getting the server, and the Mac has decided to place it lower on the resolver list because of the way the IPsec tunnel was configured. There may be a way to work around that on the Mac though, but just try toggling the other setting to see what it does.
-
I fixed the DNS issue on OS X and IOS by using Apple Configurator to create VPN profile and manually adding DNS section in it.
Here's how to do it: https://lists.strongswan.org/pipermail/users/2015-October/008842.htmlAnd don't let host command fool you, everything else works, except host command.
For Ubuntu 15, you have to add DNS server and domain manually to configuration on each client.
For Fedora 22/23 you have to patch Gnome NetworkManager UI ::) even to get proper configuration dialog (and then have to add DNS anyway)
Same bug across all Linux distros, but nobody cares about Fedora in particular
https://bugzilla.opensuse.org/show_bug.cgi?id=944769
https://bugs.launchpad.net/ubuntu/+source/network-manager-strongswan/+bug/1448879AND THEN you still have to mess around with SELinux quite a bit before you have working VPN. allow2audit is your friend here.
-
I had a similar problem with the IKEv2 IPSEC vpn and I am not using split DNS.
Using these directions: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 I was able to get a working connection.
At this point, Windows clients worked without problem, but the iOS and OSX clients could not resolve the internal vpn hosts correctly.
Windows clients were showing the correct DNS servers and search domain configured in my mobile clients settings, but the iOS and OSX clients were showing the normal network DNS, e.g. they were not picking up the VPN dns servers and search domain settings.
On a hunch, I disabled "Provide a list of accessible networks to clients" under Client Configuration, Network List in Mobile Clients and applied the changes.
Now, my iOS and OSX clients router all traffic through the vpn and it they pick up the DNS servers and search domains from the VPN server.
Just throwing this out there for anyone else having this problem.
-
I fixed the DNS issue on OS X and IOS by using Apple Configurator to create VPN profile and manually adding DNS section in it.
Here's how to do it: https://lists.strongswan.org/pipermail/users/2015-October/008842.htmlThis is definitely the key for split DNS with macOS and iOS! More details can be found in Apple's Configuration Profile Reference https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW612
Look for the DNS Dictionary Keys section and it explains the use of SupplementalMatchDomains to control spilt DNS. Not sure why this isn't available from the Configuration GUI, but… there you go.
