Project

General

Profile

Actions

Bug #4418

closed

IPsec mobile clients - bogus "p" appended to search domain

Added by Kill Bill over 6 years ago. Updated 24 days ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
02/12/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.x
Affected Architecture:
All


Files

Selection_012.png (8.54 KB) Selection_012.png Chris Buechler, 02/13/2015 12:34 AM
Screenshot 2015-07-20 00.19.55.png (96.9 KB) Screenshot 2015-07-20 00.19.55.png Ivars Strazdins, 07/19/2015 04:19 PM
Screenshot 2015-07-20 00.19.55.png (96.9 KB) Screenshot 2015-07-20 00.19.55.png Ivars Strazdins, 07/19/2015 04:21 PM
Actions #1

Updated by Chris Buechler over 6 years ago

  • Status changed from New to Confirmed

it's more than just a p, it ends up with some weird character after the p as well. I've already dug into this a bit but not far enough to find the full answer. It's a bug in strongswan it seems, it's not sending what it's configured to send, we're setting it up correctly.

Actions #2

Updated by Chris Buechler over 6 years ago

the symbol at the end that OS X's logs show doesn't copy/paste, attached screenshot.

Actions #3

Updated by Ermal Luçi over 6 years ago

  • Status changed from Confirmed to Feedback

I pushed a commit since this seems relevant only during parsing time of the options.

Can anyone re-producing this test the fix done on this ticket?

Actions #4

Updated by Chris Buechler over 6 years ago

  • Status changed from Feedback to Confirmed

It changes the weird character OS X shows at the end in its system.log, but otherwise unchanged and still wrong. Now shows:

SPLITDNS-NAME[0] = 22vpntest.lanp^A.
Actions #5

Updated by Andreas Weik over 6 years ago

Hi.
Also tried Revision fc06d8ea with no effect on clients from Mountain Lion through Yosemite.

Actions #6

Updated by Jeffrey Dvornek over 6 years ago

Hi all,

Not sure if this helps, but some findings:

First, it appears that the strongswan config is generated using a comma separated list of domains, but per the strongswan docs , it should be space separated. Updating the config manually to be 28675 = wanteddomain.com fake.com at least provides a workaround at the moment, as the extra characters are only appended to the last domain in the list.

Second, perhaps this one's my fault, but it seems as though charon isn't being fully restarted upon saving and applying the configuration from the web configurator. Update/Save/Apply from vpn_ipsec_mobile.php updates the generated config file, but doesn't result in charon being restarted or the new configuration being applied.

Actions #7

Updated by Ermal Luçi over 6 years ago

Thank you for finding the separator issue.

I pushed fixes for separating dns names with spaces.
The characters at the end are some garbage of stack on how strongswan shuffles data around.

Actions #8

Updated by Steve Wheeler over 6 years ago

Running todays snapshot (Thu Mar 05 23:16:42 CST 2015 ) upon entering split dns domains it won't allow me to enter more than one with spaces or commas and with only one gives this error:
Warning: Invalid argument supplied for foreach() in /etc/inc/vpn.inc on line 384

Actions #9

Updated by Renato Botelho over 6 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #11

Updated by Chris Buechler over 6 years ago

  • Status changed from Feedback to Confirmed
  • Target version changed from 2.2.1 to 2.2.2
  • % Done changed from 100 to 0

Issue still stands as originally described, we'll revisit for 2.2.2.

Actions #12

Updated by Chris Buechler over 6 years ago

  • Target version changed from 2.2.2 to 2.2.3

still an issue with strongswan 5.3.0. I opened a bug ticket: https://wiki.strongswan.org/issues/921

Actions #13

Updated by Denny Page over 6 years ago

One thing I would add is that this behavior is particular to the Unity plug-in. With the Unity plug-in disabled, the problem does not occur.

In researching various issues I faced in getting IPSEC to work with OS X and iOS, I frequently came across recommendations in the strongSwan boards to disable the Unity plug-in as it frequently causes problems, particularly with non Cisco gear. It may be preferable to have Unity disabled by default in the pfSense config.

Actions #14

Updated by Chris Buechler over 6 years ago

  • Status changed from Confirmed to Feedback

this doesn't appear to be an issue anymore with 2.2.3, though I haven't narrowed down exactly where that changed yet. If others could help test latest 2.2.3 from snapshots.pfsense.org to see if you still have this issue, that would help.

Actions #15

Updated by Ermal Luçi over 6 years ago

I thought this was due that now unity plugin is not anymore loaded by default.

Actions #16

Updated by Chris Buechler about 6 years ago

  • Assignee set to Chris Buechler
  • Target version changed from 2.2.3 to 2.3
  • Affected Version changed from 2.2 to 2.2.x

something's changed in the OS X client since last trying this. I'll revisit for further testing.

Actions #17

Updated by Ivars Strazdins about 6 years ago

Just happened to have the same problem. DNS in OS X client and Apple IOS client does not work.
Running pfSense 2.2.3.
DNS server is configured in IPSec Mobile client tab.
scutil output attached.

Actions #18

Updated by Ivars Strazdins about 6 years ago

Just happened to have the same problem. DNS in OS X client and Apple IOS client does not work.
Running pfSense 2.2.3. Mac OS X 10.10.4 and IOS 8.4 on phone.
DNS server is configured in IPSec Mobile client tab.
scutil output attached, "p^D" is appended to IPSec domain

Actions #19

Updated by Travis Gomillion about 6 years ago

Running pfSense 2.2.4 and attempting to connect with iOS 8.4. This problem still apparently exists in some form or another.

1. Supplied a default domain name with the split DNS field blank (this used to work). DNS queries on the iPhone are still sent out to the internet and not to the supplied remote internal DNS server.
2. Filled in the split DNS field with [mydomain].com and the problem still existed.
3. Filled in the split DNS field with [mydomain].com immediately followed by a space, but this appears to be stripped off once the settings are saved.
4. Filled in the split DNS field with [mydomain].com[space][mydomain] (ex. "domain.com domain") and suddenly internal DNS queries started working properly. Weird.

Should I post this to the StrongSwan issue as well?

Actions #20

Updated by Jim Thompson almost 6 years ago

  • Assignee changed from Chris Buechler to Matthew Smith

reassigned. (I know Matt has this working.)

Actions #21

Updated by Bruce Mah over 5 years ago

Quick testing report with pfSense 2.2.6 / i386 on Soekris net5501 (just upgraded from pfSense 2.1.5), iOS 9.2 on iPhone 6S: I tried test cases 1, 2, and 4 in comment 19 of this bug with identical results. I have DNS working as expected with #4. Thanks to Travis Gomillion for the hint!

(I did not try disabling the Unity plug-in as suggested up-thread...first priority was to get IPSec working in some way.)

Actions #22

Updated by Renato Botelho over 5 years ago

  • Status changed from Feedback to Assigned

Based on last user reports, it's not fixed yet

Actions #23

Updated by Renato Botelho over 5 years ago

  • Assignee changed from Matthew Smith to Renato Botelho

I'll handle it

Actions #24

Updated by Renato Botelho over 5 years ago

  • Status changed from Assigned to Feedback

I spent some time trying to reproduce it on 2.3 snapshot and couldn't, as you can see below, all split DNS items looks OK on scutil output.

I'm using OS X El Capitan (10.11.3) and pfSense 2.3 snapshot from Feb 2.

I will leave this ticket in feedback state and wait more feedbacks from other people using 2.3

resolver #1
  search domain[0] : example.com
  search domain[1] : test.com
  search domain[2] : pfmechanics.com
  search domain[3] : home
  nameserver[0] : 192.168.11.1
  if_index : 4 (en0)
  flags    : Request A records
Reachable, Directly Reachable Address
Actions #25

Updated by Renato Botelho over 5 years ago

For the records, I've tried it with Unity plugin enabled and disabled with same results

Actions #26

Updated by Chris Buechler over 5 years ago

  • Status changed from Feedback to Resolved

this was either fixed in newer OS X or newer strongswan, issue no longer exists.

resolver #2
  search domain[0] : test.com

where it used to have "test.comp" there with same config.

Actions #27

Updated by Chris Peden over 5 years ago

I have just setup a new pfSense install and I am seeing this bug again on version 2.3.1-RELEASE-p1. Happens regardless of unity being on or off. As someone in the comments says if you put in a dummy domain after your legit domain it works as expected because only the dummy domain is getting the weird appended character.

here is a example from my internal dns logs. as you see its appending to the domain name.
02-Jun-2016 15:43:52.785 client 192.168.10.1#57278 (bigfoot.peedy.homep\001): query: bigfoot.peedy.homep\001 IN A + (192.168.0.10)

this is on iOS 9.3.2

Actions #28

Updated by Mario Jauvin almost 5 years ago

Ok, I am using pfSense 2.3.2 (latest) and I get the silly p appended to the default domain. Can someone look into this and leave this issue as open as opposed to resolved.

The impact is huge because it is not possible to get a IPsec VPN with DNS to work.

The strongswan related bug is https://wiki.strongswan.org/issues/921 which also shows as closed.

As a workaround I had to remove the default DNS domain and entered it twice separated by a space in the split DNS field.

See the following post for how I discovered this: https://forum.pfsense.org/index.php?topic=118571.0

Actions #29

Updated by Pablo Santos almost 5 years ago

Also I am having the same problem in versãoo 2.3.2-RELEASE-p1. For some in the forum saw what worked the Place hum false address, unfortunately for Me Not.
Also checked que Routes table is not being propagated there atrvés Windows to control route. EVEN with an option to provide a list of networks accessible to customers,
To Take Command route UNABLE list as networks, however IT Send Traffic POIs a VPN and the default gateway.
If you uncheck the option to Inside Windows gateway using standard paragraph NOT a VPN, NOT WORK DOES NOT EXIST POIs Table route

Actions #30

Updated by Aaron Holtzman over 4 years ago

This still happens in 2.3.2-RELEASE-p1. Had to add a dummy second domain to fix it like the others.

resolver #3
domain : fooboo200.com*p*
nameserver0 : 192.168.1.212

Actions #31

Updated by R. St 24 days ago

This Problem still exists as I ran into it since the last week.

v2.5.2-RELEASE

No difference if the unity plugin is enabled or disabled. Had to add a dummy second domain as suggested in the last post.

Actions

Also available in: Atom PDF