OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: eugenmayer on May 20, 2017, 07:33:08 pm

Title: IPsec DNS offering on macOS OSX
Post by: eugenmayer on May 20, 2017, 07:33:08 pm

I have a IPSEC mobile client connection (172.16.0.0/24) to my LAN ( 10.1.7.0 ).

- I run a DNS-Resolver and a DHCP server which is configured to set DNS entries for each client in LAN. The DNS-Resolver does domain overriding for domain.tld and listens on LAN and 127.0.0.1

Question/Need:
I wan the mobile-client to be able to resolve the domains for my LAN domain, domain.tld - which the DNS resolved offers (i can do that when using).

Configuration:
Thats how i configured the mobile client: https://goo.gl/qYxP56
Thats how i configured the DNS Resolver: https://goo.gl/o6Ibrs

Issue:
When i connect with my (El Capitan/Sierra) IPsec "Cisco" client, i can access LAN i cant really see that the DNS server is used.

If i do query the DNS server directly (from the mobile client) it works

Code: [Select]

dig test.domain.tld @10.1.7.1
But i cannot resolve domains form domain.tld directly since the DNS server seems not to be forwarded during the connection?

Title: Re: IPsec DNS offering
Post by: eugenmayer on May 20, 2017, 07:43:43 pm

Might be actually a IPsec Sierra client issue: https://discussions.apple.com/thread/3071361?start=0&tstart=0

Title: Re: IPsec DNS offering on OSX macOS
Post by: eugenmayer on May 20, 2017, 07:58:47 pm

Well it is a OSX client issue, used https://www.shimovpn.com/de/download/ - configured a general ipsec client and everything started to work exactly as expected.

Leaving this here for google - adjusting title

Title: Re: IPsec DNS offering on macOS OSX
Post by: eugenmayer on May 21, 2017, 05:07:11 pm

little update on this, after fiddling around with shimo vpn i was not able to get split DNS to work even though they explicitly offer it - i asked the support because i think thats a software bug. Also shimo VPN does not properly detect the network list, thus always configures to send the whole traffic through VPN, no matter how you setup the mobile client connection - this can be fixed by manual route overrides

i tried vpn tracker 9 or 365 then and that worked out completely, DNS and gateway work right away. You do not choose a device here, but rather a customer ipsec connection.

If there is any interest, i can paste the general configuration for both clients - in the end, they are very straight forward and aligned at exact the same terms used in opnsense