Bug #4418
closed
IPsec mobile clients - bogus "p" appended to search domain
0%
Description
At least 4 reports of this on the forum:
https://forum.pfsense.org/index.php?topic=88631.0
https://forum.pfsense.org/index.php?topic=88226.0
Logs in this post: https://forum.pfsense.org/index.php?topic=88226.msg487204#msg487204
Files
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Confirmed
it's more than just a p, it ends up with some weird character after the p as well. I've already dug into this a bit but not far enough to find the full answer. It's a bug in strongswan it seems, it's not sending what it's configured to send, we're setting it up correctly.
Updated by Chris Buechler almost 10 years ago
- File Selection_012.png Selection_012.png added
the symbol at the end that OS X's logs show doesn't copy/paste, attached screenshot.
Updated by Ermal Luçi almost 10 years ago
- Status changed from Confirmed to Feedback
I pushed a commit since this seems relevant only during parsing time of the options.
Can anyone re-producing this test the fix done on this ticket?
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Confirmed
It changes the weird character OS X shows at the end in its system.log, but otherwise unchanged and still wrong. Now shows:
SPLITDNS-NAME[0] = 22vpntest.lanp^A.
Updated by Andreas Weik over 9 years ago
Hi.
Also tried Revision fc06d8ea with no effect on clients from Mountain Lion through Yosemite.
Updated by Jeffrey Dvornek over 9 years ago
Hi all,
Not sure if this helps, but some findings:
First, it appears that the strongswan config is generated using a comma separated list of domains, but per the strongswan docs , it should be space separated. Updating the config manually to be 28675 = wanteddomain.com fake.com at least provides a workaround at the moment, as the extra characters are only appended to the last domain in the list.
Second, perhaps this one's my fault, but it seems as though charon isn't being fully restarted upon saving and applying the configuration from the web configurator. Update/Save/Apply from vpn_ipsec_mobile.php updates the generated config file, but doesn't result in charon being restarted or the new configuration being applied.
Updated by Ermal Luçi over 9 years ago
Thank you for finding the separator issue.
I pushed fixes for separating dns names with spaces.
The characters at the end are some garbage of stack on how strongswan shuffles data around.
Updated by Steve Wheeler over 9 years ago
Running todays snapshot (Thu Mar 05 23:16:42 CST 2015 ) upon entering split dns domains it won't allow me to enter more than one with spaces or commas and with only one gives this error:
Warning: Invalid argument supplied for foreach() in /etc/inc/vpn.inc on line 384
Updated by Renato Botelho over 9 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset b93bc1fd4995e731a51d461c8c4b08610ddbf7c1.
Updated by Renato Botelho over 9 years ago
Applied in changeset b47f7d65d376e3c401cbda05c4d0ad60abb87d41.
Updated by Chris Buechler over 9 years ago
- Status changed from Feedback to Confirmed
- Target version changed from 2.2.1 to 2.2.2
- % Done changed from 100 to 0
Issue still stands as originally described, we'll revisit for 2.2.2.
Updated by Chris Buechler over 9 years ago
- Target version changed from 2.2.2 to 2.2.3
still an issue with strongswan 5.3.0. I opened a bug ticket: https://wiki.strongswan.org/issues/921
Updated by Denny Page over 9 years ago
One thing I would add is that this behavior is particular to the Unity plug-in. With the Unity plug-in disabled, the problem does not occur.
In researching various issues I faced in getting IPSEC to work with OS X and iOS, I frequently came across recommendations in the strongSwan boards to disable the Unity plug-in as it frequently causes problems, particularly with non Cisco gear. It may be preferable to have Unity disabled by default in the pfSense config.
Updated by Chris Buechler over 9 years ago
- Status changed from Confirmed to Feedback
this doesn't appear to be an issue anymore with 2.2.3, though I haven't narrowed down exactly where that changed yet. If others could help test latest 2.2.3 from snapshots.pfsense.org to see if you still have this issue, that would help.
Updated by Ermal Luçi over 9 years ago
I thought this was due that now unity plugin is not anymore loaded by default.
Updated by Chris Buechler over 9 years ago
- Assignee set to Chris Buechler
- Target version changed from 2.2.3 to 2.3
- Affected Version changed from 2.2 to 2.2.x
something's changed in the OS X client since last trying this. I'll revisit for further testing.
Updated by Ivars Strazdins over 9 years ago
Just happened to have the same problem. DNS in OS X client and Apple IOS client does not work.
Running pfSense 2.2.3.
DNS server is configured in IPSec Mobile client tab.
scutil output attached.
Updated by Ivars Strazdins over 9 years ago
Just happened to have the same problem. DNS in OS X client and Apple IOS client does not work.
Running pfSense 2.2.3. Mac OS X 10.10.4 and IOS 8.4 on phone.
DNS server is configured in IPSec Mobile client tab.
scutil output attached, "p^D" is appended to IPSec domain
Updated by Travis Gomillion over 9 years ago
Running pfSense 2.2.4 and attempting to connect with iOS 8.4. This problem still apparently exists in some form or another.
1. Supplied a default domain name with the split DNS field blank (this used to work). DNS queries on the iPhone are still sent out to the internet and not to the supplied remote internal DNS server.
2. Filled in the split DNS field with [mydomain].com and the problem still existed.
3. Filled in the split DNS field with [mydomain].com immediately followed by a space, but this appears to be stripped off once the settings are saved.
4. Filled in the split DNS field with [mydomain].com[space][mydomain] (ex. "domain.com domain") and suddenly internal DNS queries started working properly. Weird.
Should I post this to the StrongSwan issue as well?
Updated by Jim Thompson about 9 years ago
- Assignee changed from Chris Buechler to Matthew Smith
reassigned. (I know Matt has this working.)
Updated by Bruce Mah almost 9 years ago
Quick testing report with pfSense 2.2.6 / i386 on Soekris net5501 (just upgraded from pfSense 2.1.5), iOS 9.2 on iPhone 6S: I tried test cases 1, 2, and 4 in comment 19 of this bug with identical results. I have DNS working as expected with #4. Thanks to Travis Gomillion for the hint!
(I did not try disabling the Unity plug-in as suggested up-thread...first priority was to get IPSec working in some way.)
Updated by Renato Botelho almost 9 years ago
- Status changed from Feedback to Assigned
Based on last user reports, it's not fixed yet
Updated by Renato Botelho almost 9 years ago
- Assignee changed from Matthew Smith to Renato Botelho
I'll handle it
Updated by Renato Botelho almost 9 years ago
- Status changed from Assigned to Feedback
I spent some time trying to reproduce it on 2.3 snapshot and couldn't, as you can see below, all split DNS items looks OK on scutil output.
I'm using OS X El Capitan (10.11.3) and pfSense 2.3 snapshot from Feb 2.
I will leave this ticket in feedback state and wait more feedbacks from other people using 2.3
resolver #1 search domain[0] : example.com search domain[1] : test.com search domain[2] : pfmechanics.com search domain[3] : home nameserver[0] : 192.168.11.1 if_index : 4 (en0) flags : Request A records Reachable, Directly Reachable Address
Updated by Renato Botelho almost 9 years ago
For the records, I've tried it with Unity plugin enabled and disabled with same results
Updated by Chris Buechler almost 9 years ago
- Status changed from Feedback to Resolved
this was either fixed in newer OS X or newer strongswan, issue no longer exists.
resolver #2 search domain[0] : test.com
where it used to have "test.comp" there with same config.
Updated by Chris Peden over 8 years ago
I have just setup a new pfSense install and I am seeing this bug again on version 2.3.1-RELEASE-p1. Happens regardless of unity being on or off. As someone in the comments says if you put in a dummy domain after your legit domain it works as expected because only the dummy domain is getting the weird appended character.
here is a example from my internal dns logs. as you see its appending to the domain name.
02-Jun-2016 15:43:52.785 client 192.168.10.1#57278 (bigfoot.peedy.homep\001): query: bigfoot.peedy.homep\001 IN A + (192.168.0.10)
this is on iOS 9.3.2
Updated by Mario Jauvin about 8 years ago
Ok, I am using pfSense 2.3.2 (latest) and I get the silly p appended to the default domain. Can someone look into this and leave this issue as open as opposed to resolved.
The impact is huge because it is not possible to get a IPsec VPN with DNS to work.
The strongswan related bug is https://wiki.strongswan.org/issues/921 which also shows as closed.
As a workaround I had to remove the default DNS domain and entered it twice separated by a space in the split DNS field.
See the following post for how I discovered this: https://forum.pfsense.org/index.php?topic=118571.0
Updated by Pablo Santos about 8 years ago
Also I am having the same problem in versãoo 2.3.2-RELEASE-p1. For some in the forum saw what worked the Place hum false address, unfortunately for Me Not.
Also checked que Routes table is not being propagated there atrvés Windows to control route. EVEN with an option to provide a list of networks accessible to customers,
To Take Command route UNABLE list as networks, however IT Send Traffic POIs a VPN and the default gateway.
If you uncheck the option to Inside Windows gateway using standard paragraph NOT a VPN, NOT WORK DOES NOT EXIST POIs Table route
Updated by Aaron Holtzman almost 8 years ago
Updated by R. St about 3 years ago
This Problem still exists as I ran into it since the last week.
v2.5.2-RELEASE
No difference if the unity plugin is enabled or disabled. Had to add a dummy second domain as suggested in the last post.