Project

General

Profile

Bug #4418

IPsec mobile clients - bogus "p" appended to search domain

Added by Kill Bill over 4 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
02/12/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.x
Affected Architecture:
All

Selection_012.png (8.54 KB) Selection_012.png Chris Buechler, 02/13/2015 12:34 AM
Screenshot 2015-07-20 00.19.55.png (96.9 KB) Screenshot 2015-07-20 00.19.55.png Ivars Strazdins, 07/19/2015 04:19 PM
Screenshot 2015-07-20 00.19.55.png (96.9 KB) Screenshot 2015-07-20 00.19.55.png Ivars Strazdins, 07/19/2015 04:21 PM

Associated revisions

Revision d17ad7f5 (diff)
Added by Ermal Luçi over 4 years ago

Surrond the some mobile clients attributes with " ( quote ) to help the strongswan parser identify properly the values. Ticket #4418

Revision fc06d8ea (diff)
Added by Ermal Luçi over 4 years ago

Surrond the some mobile clients attributes with " ( quote ) to help the strongswan parser identify properly the values. Ticket #4418

Revision 82e6fde2 (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4418 Make the DNS names attr 28675 space separated as identified by Jeffrey Dvornek

Revision e1c4a5ff (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4418 Make the DNS names attr 28675 space separated as identified by Jeffrey Dvornek

Revision 1f3d4db0 (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4418 make sure the dns_split is separated with spaces rather than space or comma to comply with strongswan requirements.

Revision ca5f5db1 (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4418 make sure the dns_split is separated with spaces rather than space or comma to comply with strongswan requirements.

Revision 4c9b272d (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4418 Actually make each entry a clear token to strongswan parser for dns_split

Revision 883096d8 (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4418 Actually make each entry a clear token to strongswan parser for dns_split

Revision 27781065 (diff)
Added by Renato Botelho over 4 years ago

Remove multiple spaces from dns_split as a seatbelt, also fix the message since field is expected to be space separated and not comma. Ticket #4418

Revision 877740ee (diff)
Added by Renato Botelho over 4 years ago

dns_split was a comma separated list and moved to use space as separator, provide upgrade code to make sure old configs are converted. Since there was a config upgrade version 11.7 only on master, I pushed it to 11.8 and used dns_split one as 11.7 to be able to backport it to RELENG_2_2. Ticket #4418

Revision b93bc1fd (diff)
Added by Renato Botelho over 4 years ago

Stop trying to fix dns_split during strongswan config generation, we have an upgrade code in place for that, it should fix #4418

Revision 99572c53 (diff)
Added by Renato Botelho over 4 years ago

Remove multiple spaces from dns_split as a seatbelt, also fix the message since field is expected to be space separated and not comma. Ticket #4418

Revision edf370e7 (diff)
Added by Renato Botelho over 4 years ago

dns_split was a comma separated list and moved to use space as separator, provide upgrade code to make sure old configs are converted. Since there was a config upgrade version 11.7 only on master, I pushed it to 11.8 and used dns_split one as 11.7 to be able to backport it to RELENG_2_2. Ticket #4418

Revision b47f7d65 (diff)
Added by Renato Botelho over 4 years ago

Stop trying to fix dns_split during strongswan config generation, we have an upgrade code in place for that, it should fix #4418

History

#1 Updated by Chris Buechler over 4 years ago

  • Status changed from New to Confirmed

it's more than just a p, it ends up with some weird character after the p as well. I've already dug into this a bit but not far enough to find the full answer. It's a bug in strongswan it seems, it's not sending what it's configured to send, we're setting it up correctly.

#2 Updated by Chris Buechler over 4 years ago

the symbol at the end that OS X's logs show doesn't copy/paste, attached screenshot.

#3 Updated by Ermal Luçi over 4 years ago

  • Status changed from Confirmed to Feedback

I pushed a commit since this seems relevant only during parsing time of the options.

Can anyone re-producing this test the fix done on this ticket?

#4 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Confirmed

It changes the weird character OS X shows at the end in its system.log, but otherwise unchanged and still wrong. Now shows:

SPLITDNS-NAME[0] = 22vpntest.lanp^A.

#5 Updated by Andreas Weik over 4 years ago

Hi.
Also tried Revision fc06d8ea with no effect on clients from Mountain Lion through Yosemite.

#6 Updated by Jeffrey Dvornek over 4 years ago

Hi all,

Not sure if this helps, but some findings:

First, it appears that the strongswan config is generated using a comma separated list of domains, but per the strongswan docs , it should be space separated. Updating the config manually to be 28675 = wanteddomain.com fake.com at least provides a workaround at the moment, as the extra characters are only appended to the last domain in the list.

Second, perhaps this one's my fault, but it seems as though charon isn't being fully restarted upon saving and applying the configuration from the web configurator. Update/Save/Apply from vpn_ipsec_mobile.php updates the generated config file, but doesn't result in charon being restarted or the new configuration being applied.

#7 Updated by Ermal Luçi over 4 years ago

Thank you for finding the separator issue.

I pushed fixes for separating dns names with spaces.
The characters at the end are some garbage of stack on how strongswan shuffles data around.

#8 Updated by Steve Wheeler over 4 years ago

Running todays snapshot (Thu Mar 05 23:16:42 CST 2015 ) upon entering split dns domains it won't allow me to enter more than one with spaces or commas and with only one gives this error:
Warning: Invalid argument supplied for foreach() in /etc/inc/vpn.inc on line 384

#9 Updated by Renato Botelho over 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#11 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Confirmed
  • Target version changed from 2.2.1 to 2.2.2
  • % Done changed from 100 to 0

Issue still stands as originally described, we'll revisit for 2.2.2.

#12 Updated by Chris Buechler over 4 years ago

  • Target version changed from 2.2.2 to 2.2.3

still an issue with strongswan 5.3.0. I opened a bug ticket: https://wiki.strongswan.org/issues/921

#13 Updated by Denny Page about 4 years ago

One thing I would add is that this behavior is particular to the Unity plug-in. With the Unity plug-in disabled, the problem does not occur.

In researching various issues I faced in getting IPSEC to work with OS X and iOS, I frequently came across recommendations in the strongSwan boards to disable the Unity plug-in as it frequently causes problems, particularly with non Cisco gear. It may be preferable to have Unity disabled by default in the pfSense config.

#14 Updated by Chris Buechler about 4 years ago

  • Status changed from Confirmed to Feedback

this doesn't appear to be an issue anymore with 2.2.3, though I haven't narrowed down exactly where that changed yet. If others could help test latest 2.2.3 from snapshots.pfsense.org to see if you still have this issue, that would help.

#15 Updated by Ermal Luçi about 4 years ago

I thought this was due that now unity plugin is not anymore loaded by default.

#16 Updated by Chris Buechler about 4 years ago

  • Assignee set to Chris Buechler
  • Target version changed from 2.2.3 to 2.3
  • Affected Version changed from 2.2 to 2.2.x

something's changed in the OS X client since last trying this. I'll revisit for further testing.

#17 Updated by Ivars Strazdins about 4 years ago

Just happened to have the same problem. DNS in OS X client and Apple IOS client does not work.
Running pfSense 2.2.3.
DNS server is configured in IPSec Mobile client tab.
scutil output attached.

#18 Updated by Ivars Strazdins about 4 years ago

Just happened to have the same problem. DNS in OS X client and Apple IOS client does not work.
Running pfSense 2.2.3. Mac OS X 10.10.4 and IOS 8.4 on phone.
DNS server is configured in IPSec Mobile client tab.
scutil output attached, "p^D" is appended to IPSec domain

#19 Updated by Travis Gomillion almost 4 years ago

Running pfSense 2.2.4 and attempting to connect with iOS 8.4. This problem still apparently exists in some form or another.

1. Supplied a default domain name with the split DNS field blank (this used to work). DNS queries on the iPhone are still sent out to the internet and not to the supplied remote internal DNS server.
2. Filled in the split DNS field with [mydomain].com and the problem still existed.
3. Filled in the split DNS field with [mydomain].com immediately followed by a space, but this appears to be stripped off once the settings are saved.
4. Filled in the split DNS field with [mydomain].com[space][mydomain] (ex. "domain.com domain") and suddenly internal DNS queries started working properly. Weird.

Should I post this to the StrongSwan issue as well?

#20 Updated by Jim Thompson over 3 years ago

  • Assignee changed from Chris Buechler to Matthew Smith

reassigned. (I know Matt has this working.)

#21 Updated by Bruce Mah over 3 years ago

Quick testing report with pfSense 2.2.6 / i386 on Soekris net5501 (just upgraded from pfSense 2.1.5), iOS 9.2 on iPhone 6S: I tried test cases 1, 2, and 4 in comment 19 of this bug with identical results. I have DNS working as expected with #4. Thanks to Travis Gomillion for the hint!

(I did not try disabling the Unity plug-in as suggested up-thread...first priority was to get IPSec working in some way.)

#22 Updated by Renato Botelho over 3 years ago

  • Status changed from Feedback to Assigned

Based on last user reports, it's not fixed yet

#23 Updated by Renato Botelho over 3 years ago

  • Assignee changed from Matthew Smith to Renato Botelho

I'll handle it

#24 Updated by Renato Botelho over 3 years ago

  • Status changed from Assigned to Feedback

I spent some time trying to reproduce it on 2.3 snapshot and couldn't, as you can see below, all split DNS items looks OK on scutil output.

I'm using OS X El Capitan (10.11.3) and pfSense 2.3 snapshot from Feb 2.

I will leave this ticket in feedback state and wait more feedbacks from other people using 2.3

resolver #1
  search domain[0] : example.com
  search domain[1] : test.com
  search domain[2] : pfmechanics.com
  search domain[3] : home
  nameserver[0] : 192.168.11.1
  if_index : 4 (en0)
  flags    : Request A records
Reachable, Directly Reachable Address

#25 Updated by Renato Botelho over 3 years ago

For the records, I've tried it with Unity plugin enabled and disabled with same results

#26 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

this was either fixed in newer OS X or newer strongswan, issue no longer exists.

resolver #2
  search domain[0] : test.com

where it used to have "test.comp" there with same config.

#27 Updated by Chris Peden about 3 years ago

I have just setup a new pfSense install and I am seeing this bug again on version 2.3.1-RELEASE-p1. Happens regardless of unity being on or off. As someone in the comments says if you put in a dummy domain after your legit domain it works as expected because only the dummy domain is getting the weird appended character.

here is a example from my internal dns logs. as you see its appending to the domain name.
02-Jun-2016 15:43:52.785 client 192.168.10.1#57278 (bigfoot.peedy.homep\001): query: bigfoot.peedy.homep\001 IN A + (192.168.0.10)

this is on iOS 9.3.2

#28 Updated by Mario Jauvin almost 3 years ago

Ok, I am using pfSense 2.3.2 (latest) and I get the silly p appended to the default domain. Can someone look into this and leave this issue as open as opposed to resolved.

The impact is huge because it is not possible to get a IPsec VPN with DNS to work.

The strongswan related bug is https://wiki.strongswan.org/issues/921 which also shows as closed.

As a workaround I had to remove the default DNS domain and entered it twice separated by a space in the split DNS field.

See the following post for how I discovered this: https://forum.pfsense.org/index.php?topic=118571.0

#29 Updated by Pablo Santos almost 3 years ago

Also I am having the same problem in versãoo 2.3.2-RELEASE-p1. For some in the forum saw what worked the Place hum false address, unfortunately for Me Not.
Also checked que Routes table is not being propagated there atrvés Windows to control route. EVEN with an option to provide a list of networks accessible to customers,
To Take Command route UNABLE list as networks, however IT Send Traffic POIs a VPN and the default gateway.
If you uncheck the option to Inside Windows gateway using standard paragraph NOT a VPN, NOT WORK DOES NOT EXIST POIs Table route

#30 Updated by Aaron Holtzman over 2 years ago

This still happens in 2.3.2-RELEASE-p1. Had to add a dummy second domain to fix it like the others.

resolver #3
domain : fooboo200.com*p*
nameserver0 : 192.168.1.212

Also available in: Atom PDF