Project

General

Profile

Actions
Copy link

Feature #7773

closed

IPSec using IKEv2 with split DNS not using provided domain names

Added by Oliver Mueller over 6 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
08/15/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

I am not sure if this is rather a defect than a feature.

I am using IPSec with IKEv2. The VPN connection works great and the connection is established very fast and reliable. The only problem we have, is the Split DNS option. For some reason it doesn't seem to acknowledge the mobile clients setting.

The pfsense log seems to process internal DNS, but i guess the response is "incorrect" for the client:

Aug 15 23:43:52 gateway charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 15 23:43:52 gateway charon: 12[ENC] <30> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]

...

Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> initiating EAP_IDENTITY method (id 0x00)
Aug 15 23:43:52 gateway charon: 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing INTERNAL_IP4_ADDRESS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] processing INTERNAL_IP4_DHCP attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing INTERNAL_IP4_DHCP attribute
Aug 15 23:43:52 gateway charon: 12[IKE] processing INTERNAL_IP4_DNS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing INTERNAL_IP4_DNS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] processing INTERNAL_IP4_NETMASK attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing INTERNAL_IP4_NETMASK attribute
Aug 15 23:43:52 gateway charon: 12[IKE] processing INTERNAL_IP6_ADDRESS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing INTERNAL_IP6_ADDRESS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] processing INTERNAL_IP6_DHCP attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing INTERNAL_IP6_DHCP attribute
Aug 15 23:43:52 gateway charon: 12[IKE] processing INTERNAL_IP6_DNS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing INTERNAL_IP6_DNS attribute
Aug 15 23:43:52 gateway charon: 12[IKE] processing (25) attribute
Aug 15 23:43:52 gateway charon: 12[IKE] <con2|30> processing (25) attribute

...

Aug 15 23:43:52 gateway charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS SUBNET SUBNET U_DEFDOM U_SPLITDNS U_BANNER) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Aug 15 23:43:52 gateway charon: 12[ENC] <con2|30> insert payload AUTH into encrypted payload
Aug 15 23:43:52 gateway charon: 12[ENC] <con2|30> insert payload CONFIGURATION into encrypted payload

I can't see any of the split DNS domains in the debug log.

So I am not sure if this is a bug or not featured with IKEv2, but I found this IETF Draft (https://tools.ietf.org/id/draft-ietf-ipsecme-split-dns-02.html( explaining how it should work.

I am using:
pfSense v2.3.4-RELEASE-p1
macOS 10.12.6

Actions
Copy link
 #1

Updated by Marcos M about 1 year ago

  • Status changed from New to Closed

This should be resolved with https://redmine.pfsense.org/issues/12975.

Actions
Copy link

Also available in: Atom PDF