Project

General

Profile

Actions

Bug #12975

closed

IKEv2 Mobile IPsec clients do not receive ``INTERNAL_DNS_DOMAIN`` (value ``25``) attribute

Added by Serge Caron about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

DNS IP addresses must be supplied to the remote client when a mobile tunnel is created in order to resolve remote (private) ressource names.
Using IKEv2, macOS (Monterey Version 12.0.1) and iOS (Version 15.3.1) pfSense clients do not resolve FQDN internal hostnames unlike other VPN clients (Windows 10, Android R12, etc.).

Adding attribute 25 should be done in https://github.com/pfsense/pfsense/blob/master/src/etc/inc/ipsec.inc

if (!empty($a_client['dns_split'])) {
$ssconf['charon']['plugins']['attr'][] = "# Split DNS";
$ssconf['charon']['plugins']['attr']['28675'] = "\"{$a_client['dns_split']}\"";
++ $ssconf['charon']['plugins']['attr']['25'] = "\"{$a_client['dns_split']}\"";
}

IKEv2 clients that are stil processing “Cisco Unity extensions Attribute Type” UNITY_SPLITDNS_NAME (value 28675) are not affected. Other clients processing the more mnodern “Configuration Payload Attribute Type” INTERNAL_DNS_DOMAIN (value 25) get the information they need.

Actions

Also available in: Atom PDF