IPsec DNS offering on macOS OSX

Started by eugenmayer, May 20, 2017, 07:33:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 20, 2017, 07:33:08 PM Last Edit: May 20, 2017, 07:59:00 PM by eugenmayer
I have a IPSEC mobile client connection (172.16.0.0/24) to my LAN ( 10.1.7.0 ).

- I run a DNS-Resolver and a DHCP server which is configured to set DNS entries for each client in LAN. The DNS-Resolver does domain overriding for domain.tld and listens on LAN and 127.0.0.1

Question/Need:
I wan the mobile-client to be able to resolve the domains for my LAN domain, domain.tld - which the DNS resolved offers (i can do that when using).

Configuration:
Thats how i configured the mobile client: https://goo.gl/qYxP56
Thats how i configured the DNS Resolver: https://goo.gl/o6Ibrs

Issue:
When i connect with my (El Capitan/Sierra) IPsec "Cisco" client, i can access LAN i cant really see that the DNS server is used.

If i do query the DNS server directly (from the mobile client) it works

Code Select
dig test.domain.tld @10.1.7.1

But i cannot resolve domains form domain.tld directly since the DNS server seems not to be forwarded during the connection?
May 20, 2017, 07:43:43 PM #1
Might be actually a IPsec Sierra client issue: https://discussions.apple.com/thread/3071361?start=0&tstart=0
May 20, 2017, 07:58:47 PM #2
Well it is a OSX client issue, used https://www.shimovpn.com/de/download/ - configured a general ipsec client and everything started to work exactly as expected.

Leaving this here for google - adjusting title
May 21, 2017, 05:07:11 PM #3
little update on this, after fiddling around with shimo vpn i was not able to get split DNS to work even though they explicitly offer it - i asked the support because i think thats a software bug. Also shimo VPN does not properly detect the network list, thus always configures to send the whole traffic through VPN, no matter how you setup the mobile client connection - this can be fixed by manual route overrides

i tried vpn tracker 9 or 365 then and that worked out completely, DNS and gateway work right away. You do not choose a device here, but rather a customer ipsec connection.

If there is any interest, i can paste the general configuration for both clients - in the end, they are very straight forward and aligned at exact the same terms used in opnsense
Print
Go Up Pages1
User actions