Show Posts
1
15.7 Legacy Series / DNS not working through IPsec Mobile
« on: November 19, 2015, 04:23:50 pm »
Hi everyone,
i want to switch from an old pfsense installation with an openvpn VPN to an opnsense 15.7.19 installation with multi wan and IPsec mobile setup.
So far so good, the installation is running, multi wan working and IPsec is setup.
I can connect by an OSX 10.11.1 Client via IPsec and get access to web frontend of the opnsense installation.
But any DNS lookups through the tunnel run into a timeout.
From the resolve.log i can see, that any client side nslookup is processed by the unbound resolver, but it seems that the answer isn't routed back through the tunnel to the vpn client.
Any help is appreciated.
System:
OPNsense 15.7.19-amd64
FreeBSD 10.1-RELEASE-p23
OpenSSL 1.0.2d 9 Jul 2015
Intel(R) Xeon(R) CPU E31220 @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)
Mobile Clients:
User authentication: Local Database
Group Authentication: none
Virtual Address Pool:
Provide A virtual IP: Checked
10.190.39.0/24
DNS Servers: Checked
10.190.30.253
Tunnel Phase1:
Key Exchange: V1
IP: IPV4
Interface: WAN1
Authentication Method: Mutual PSK+Xauth
Negotiation Mode: Aggressive
My Identifier: My IP Address
Peer Identifier: Distinguished Name
foo
Pre-Shared Key: bar
Encryption algorithm: 3DES
Hash Algorith: SHA1
DH Key Group: 2 (1024)
Lifetime: 28800
Disable Rekey: Not Checked
Disable Reauth: Not Checked
NAT Traversal: Enable
Dead Peer Detection: Not Checked
Phase 2:
Mode: Tunnel IPv4
Type: LAN Subnet
Address: Left blank
Nat/Binat: None
Address: Left blank
/128
Protocol: ESP
Encryption: Checked: AES, auto; Blowfish, auto; 3DES, CAST128
Hash Algs: MD5, SHA1
PFS Keygroup: OFF
Lifetime: 3600
Auto Ping Host: Left blank
Firewall->NAT->Outbound:
Automatic outbound NAT: Checked
WAN 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * 500 WAN address * YES Auto created rule for ISAKMP
WAN 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * * WAN address * NO Auto created rule
VDSL 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * 500 VDSL address * YES Auto created rule for ISAKMP
VDSL 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * * VDSL address * NO Auto created rule
Firewall->Rules->Lan:
* * * LAN Address 443/80/22 * Anti-Lockout Rule
IPv4 * LAN net * * * * Default allow LAN to any rule
IPv4 * LAN net * * * Load_Balancing Load Balancing
IPv4 * LAN net * * * WAN1failover If WAN fails switchover to VDSL
IPv4 * LAN net * * * WAN2failover If VDSL fails switchover to WAN
Firewall->Rules-IPSec:
IPv4 * * * * * *
DNS Resolver->Access Lists
Action: Allow
Networks: 10.190.0.0/16
i want to switch from an old pfsense installation with an openvpn VPN to an opnsense 15.7.19 installation with multi wan and IPsec mobile setup.
So far so good, the installation is running, multi wan working and IPsec is setup.
I can connect by an OSX 10.11.1 Client via IPsec and get access to web frontend of the opnsense installation.
But any DNS lookups through the tunnel run into a timeout.
From the resolve.log i can see, that any client side nslookup is processed by the unbound resolver, but it seems that the answer isn't routed back through the tunnel to the vpn client.
Any help is appreciated.
System:
OPNsense 15.7.19-amd64
FreeBSD 10.1-RELEASE-p23
OpenSSL 1.0.2d 9 Jul 2015
Intel(R) Xeon(R) CPU E31220 @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)
Mobile Clients:
User authentication: Local Database
Group Authentication: none
Virtual Address Pool:
Provide A virtual IP: Checked
10.190.39.0/24
DNS Servers: Checked
10.190.30.253
Tunnel Phase1:
Key Exchange: V1
IP: IPV4
Interface: WAN1
Authentication Method: Mutual PSK+Xauth
Negotiation Mode: Aggressive
My Identifier: My IP Address
Peer Identifier: Distinguished Name
foo
Pre-Shared Key: bar
Encryption algorithm: 3DES
Hash Algorith: SHA1
DH Key Group: 2 (1024)
Lifetime: 28800
Disable Rekey: Not Checked
Disable Reauth: Not Checked
NAT Traversal: Enable
Dead Peer Detection: Not Checked
Phase 2:
Mode: Tunnel IPv4
Type: LAN Subnet
Address: Left blank
Nat/Binat: None
Address: Left blank
/128
Protocol: ESP
Encryption: Checked: AES, auto; Blowfish, auto; 3DES, CAST128
Hash Algs: MD5, SHA1
PFS Keygroup: OFF
Lifetime: 3600
Auto Ping Host: Left blank
Firewall->NAT->Outbound:
Automatic outbound NAT: Checked
WAN 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * 500 WAN address * YES Auto created rule for ISAKMP
WAN 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * * WAN address * NO Auto created rule
VDSL 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * 500 VDSL address * YES Auto created rule for ISAKMP
VDSL 127.0.0.0/8 10.190.30.0/24 10.190.39.0/24 * * * VDSL address * NO Auto created rule
Firewall->Rules->Lan:
* * * LAN Address 443/80/22 * Anti-Lockout Rule
IPv4 * LAN net * * * * Default allow LAN to any rule
IPv4 * LAN net * * * Load_Balancing Load Balancing
IPv4 * LAN net * * * WAN1failover If WAN fails switchover to VDSL
IPv4 * LAN net * * * WAN2failover If VDSL fails switchover to WAN
Firewall->Rules-IPSec:
IPv4 * * * * * *
DNS Resolver->Access Lists
Action: Allow
Networks: 10.190.0.0/16