Project

General

Profile

Actions

Bug #12975

closed

IKEv2 Mobile IPsec clients do not receive ``INTERNAL_DNS_DOMAIN`` (value ``25``) attribute

Added by Serge Caron 3 months ago. Updated 26 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

DNS IP addresses must be supplied to the remote client when a mobile tunnel is created in order to resolve remote (private) ressource names.
Using IKEv2, macOS (Monterey Version 12.0.1) and iOS (Version 15.3.1) pfSense clients do not resolve FQDN internal hostnames unlike other VPN clients (Windows 10, Android R12, etc.).

Adding attribute 25 should be done in https://github.com/pfsense/pfsense/blob/master/src/etc/inc/ipsec.inc

if (!empty($a_client['dns_split'])) {
$ssconf['charon']['plugins']['attr'][] = "# Split DNS";
$ssconf['charon']['plugins']['attr']['28675'] = "\"{$a_client['dns_split']}\"";
++ $ssconf['charon']['plugins']['attr']['25'] = "\"{$a_client['dns_split']}\"";
}

IKEv2 clients that are stil processing “Cisco Unity extensions Attribute Type” UNITY_SPLITDNS_NAME (value 28675) are not affected. Other clients processing the more mnodern “Configuration Payload Attribute Type” INTERNAL_DNS_DOMAIN (value 25) get the information they need.

Actions #1

Updated by Jim Pingle 3 months ago

  • Target version set to 2.7.0
  • Plus Target Version set to 22.05
Actions #2

Updated by Viktor Gurov 3 months ago

  • Assignee set to Viktor Gurov
  • Affected Version set to 2.6.0
Actions #3

Updated by Jim Pingle 3 months ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Viktor Gurov 3 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle 3 months ago

  • Subject changed from IPSec IKEv2 Mobile clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute to IKEv2 Mobile IPsec clients do not receive ``INTERNAL_DNS_DOMAIN`` (value ``25``) attribute

Updating subject for release notes.

Actions #6

Updated by Jim Pingle 26 days ago

  • Status changed from Feedback to Resolved

The new attribute is present in the configuration, the rest is up to clients at this point.

Actions

Also available in: Atom PDF