Author Topic: [SOLVED] DNS requests do not enter IPsec tunnel (Read 1887 times)

Droppie391 · « **on:** May 30, 2017, 04:48:14 pm »

DNS requests made to the dns resolver (unbound) do not go through the ipsec tunnel for domain-overrides.
These DNS requests follow the routing table which states for the network on the other side of the ipsec tunnel to go via the wan interface. I don´t understand how traffic from any workstation other then the oünsense box and destinated to the remote ipsec network can find its way through the tunnel but packets originating from the opnsense box itself are routed via the wan interface bypassing the ipsec tunnel.

franco · « **Reply #1 on:** May 30, 2017, 08:26:59 pm »

Binding unbound to the explicit interfaces that you need it to work with is required, especially including the the one that is paired with IPsec. It's in the main settings page, interfaces and outbound interfaces selection.

FreeBSD does not support routes into IPsec by default, it is very strict about its security associations. To illustrate with ping from the OPNsense box:

Doesn't work:

# ping REMOTE.RIGHTSUBNET.IP

Works:

# ping -S LOCAL.LEFTSUBNET.IP REMOTE.RIGHTSUBNET.IP

Cheers,
Franco

Droppie391 · « **Reply #2 on:** May 31, 2017, 02:12:57 pm »

Thanks, that did the trick.

franco · « **Reply #3 on:** May 31, 2017, 03:34:19 pm »

Yay, cool, thanks for checking back!

Author Topic: [SOLVED] DNS requests do not enter IPsec tunnel (Read 1887 times)

Droppie391

[SOLVED] DNS requests do not enter IPsec tunnel

franco

Re: DNS requests do not enter IPsec tunnel

Droppie391

Re: DNS requests do not enter IPsec tunnel

franco

Re: [SOLVED] DNS requests do not enter IPsec tunnel