OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: pboe on November 19, 2015, 04:23:50 pm

Title: DNS not working through IPsec Mobile
Post by: pboe on November 19, 2015, 04:23:50 pm
Hi everyone,
i want to switch from an old pfsense installation with an openvpn VPN to an opnsense 15.7.19 installation with multi wan and IPsec mobile setup.
So far so good, the installation is running, multi wan working and IPsec is setup.
I can connect by an OSX 10.11.1 Client via IPsec and get access to web frontend of the opnsense installation.
But any DNS lookups through the tunnel run into a timeout.
From the resolve.log i can see, that any client side nslookup is processed by the unbound resolver, but it seems that the answer isn't routed back through the tunnel to the vpn client.
Any help is appreciated.

OPNsense 15.7.19-amd64
FreeBSD 10.1-RELEASE-p23
OpenSSL 1.0.2d 9 Jul 2015

Intel(R) Xeon(R) CPU E31220 @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)

Mobile Clients:
User authentication:   Local Database
Group Authentication:   none
Virtual Address Pool:
   Provide A virtual IP:   Checked

DNS Servers:     Checked

Tunnel Phase1:
Key Exchange:   V1
IP:      IPV4
Interface:   WAN1

Authentication Method:   Mutual PSK+Xauth
Negotiation Mode:   Aggressive
My Identifier:      My IP Address
Peer Identifier:   Distinguished Name
Pre-Shared Key:      bar

Encryption algorithm:   3DES
Hash Algorith:      SHA1
DH Key Group:      2 (1024)
Lifetime:      28800
Disable Rekey:      Not Checked
Disable Reauth:      Not Checked
NAT Traversal:      Enable
Dead Peer Detection:   Not Checked

Phase 2:
Mode:      Tunnel IPv4
Type:      LAN Subnet
Address:   Left blank
Nat/Binat:   None
Address:   Left blank
Protocol:   ESP
Encryption:   Checked: AES, auto; Blowfish, auto; 3DES, CAST128
Hash Algs:   MD5, SHA1
PFS Keygroup:   OFF
Lifetime:   3600
Auto Ping Host:   Left blank

Automatic outbound NAT:   Checked
WAN   *   *   500   WAN address   *   YES   Auto created rule for ISAKMP
WAN   *   *   *   WAN address   *   NO   Auto created rule
VDSL   *   *   500   VDSL address   *   YES   Auto created rule for ISAKMP
VDSL   *   *   *   VDSL    address   *   NO   Auto created rule

   *   *   *   LAN Address   443/80/22   *       Anti-Lockout Rule   
IPv4 *   LAN net   *   *   *   *      Default allow LAN to any rule     
IPv4 *   LAN net   *   *   *   Load_Balancing      Load Balancing
IPv4 *   LAN net   *   *   *   WAN1failover      If WAN fails switchover to VDSL     
IPv4 *   LAN net   *   *   *   WAN2failover      If VDSL fails switchover to WAN     

IPv4 *   *   *   *   *   *         

DNS Resolver->Access Lists

Action: Allow

Title: Re: DNS not working through IPsec Mobile
Post by: Exitcomestothis on November 20, 2015, 04:48:13 pm
Do you get the same result when you use a public DNS server, like from google or from OpenDNS?
Title: Re: DNS not working through IPsec Mobile
Post by: pboe on November 23, 2015, 11:08:35 am
Using an external DNS is working, by setting the clients DNS to e.g. But i think that traffic is not going through the tunnel.
Title: Re: DNS not working through IPsec Mobile
Post by: Exitcomestothis on November 29, 2015, 04:14:11 am
Is the opnsense firewall the only router you have running on your network at the moment?

Try searching for "ip" in a Google search when connected over VPN. If the result comes up as a/one of the wan IP's that is associated with the firewall, then traffic is indeed flowing over the VPN.

I'm not sure how things have changed for VPN in OS X, as I quit using Mac just as 10.7.0 came out, but make sure that the option for "send all traffic" is checked in the VPN settings.
Title: Re: DNS not working through IPsec Mobile
Post by: pboe on December 01, 2015, 12:03:50 pm
Hi Exitcomestothis,
i'm using only IPSec not L2TP. So on theOSX 10.11 client side i have no option to route all traffic through the tunnel. Therefore if i google my IP adress i get the external IP of the local router the client is connected to.

In the VPN the opnsense box is not the only router, but it doesn't make a difference if i pull the plug of the main router which should be replaced by the opnsense box.
The strange thing is, that the resolver receives the DNS request and also resolves it, but the answer is not getting through to the client.

Thanks for your help, i appreciate that.