IPsec Mobile Client: Split DNS: Fixing MacOS and iOS with IKEv2

[stumbaumr]

Describe the bug
We have internal DNS servers in our network providing private DNS zones. So for example dc1.contoso.com is provided by DNS server 10.20.30.1. MacOS and iOS IPsec Mobile Client users should be configured, so that they use for domain names like host01.dc1.contoso.com the DNS server 10.20.30.1. For www.google.com it should still be the DNS server of the lokal network of the client. But somehow Windows 10 Clients just work, but Apple Devices fail resolving internal DNS names.

Cisco used to provide a UNITY attribut extension for that functionality - this is available for Cisco Anywhere clients. This is configurable in OPNsense. But not for plain IKEv2 clients.

According to https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients there is a new attribute INTERNAL_DNS_DOMAIN (IANA number 25). Newer MacOS and iOS clients use that value.

So if you configure 25 same as 28675 (comma separated list of split domain names) split DNS just works.

e.g.

charon {
    plugins {
        attr {
            dns = 10.20.30.1
            # Default domain and split DNS domains
            28674 = office.contoso.com
            28675 = dc1.contoso.com,dc2.contoso.com,dc3.contoso.com,office.contoso.com
            25 = dc1.contoso.com,dc2.contoso.com,dc3.contoso.com,office.contoso.com
        }
}

So by adding attr 25 you would fix split DNS for a lot of standard IKEv2 clients.

To Reproduce
Create VPN -> IPsec -> Mobile Client. Configure Split DNS.

Connect using iOS or MacOS device. See if internal DNS names get resolved. No? Add 25 attribute in your config. Check again. :-)

Expected behavior
IKEv2 Clients should just work out of the box these days...

Environment
Software version used and hardware type if relevant.

OPNsense 19.1.4 (amd64, OpenSSL).

[stumbaumr]

@AdSchellevis Excellent, the iOS and MacOS IKEv2 clients are working properly with your patch.

Question: In https://wiki.strongswan.org/projects/strongswan/wiki/AttrPlugin is stated, that parameter 28675 is a "space-separated list of domain names". This is for Cisco clients using the Unity extension. I do not have Cisco anywhere, but maybe somebody like @mimugmail could confirm that 28675 even works of it is comma separated.

[AdSchellevis]

@stumbaumr thanks for confirming, I don't have Cisco stuff either at our office, so if @mimugmail has the opportunity to test that would be nice, otherwise we will have to wait until someone posts a bug if it doesn't work (I think this has been in for ages, so I would suspect it works, but you never know)

[mimugmail]

@stumbaumr you mean the old Cisco VPN Client? It's not compatible anymore to W10

[stumbaumr]

Is the Cisco AnyConnect Client using the Unity Extensions?

[mimugmail]

I never tried IKEv2 with AnyConnect against OPNsense .. I'm only using OPNsense to connect to my company ASA via OpenConnect plugin.

[alexanderharm]

@stumbaumr Does this really work for you under macOS 11 Big Sur? For me internal FQDN are never resolved and when I check with scutil --dns I can see that StrongSWAN's domains are ALSO appended to the default resolver!

DNS configuration

resolver #1
  search domain[0] : licenseserver.example.com
  search domain[1] : fibuscan.example.com
  search domain[2] : intern
  nameserver[0] : 10.12.14.2
  if_index : 7 (en4)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : fibuscan.example.com
  nameserver[0] : 10.0.1.100
  nameserver[1] : 10.0.1.110
  if_index : 20 (ipsec0)
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 102201

resolver #4
  domain   : licenseserver.example.com
  nameserver[0] : 10.0.1.100
  nameserver[1] : 10.0.1.110
  if_index : 20 (ipsec0)
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 102200

resolver #5
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : intern
  nameserver[0] : 10.12.14.2
  if_index : 7 (en4)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  nameserver[0] : 10.0.1.100
  nameserver[1] : 10.0.1.110
  if_index : 20 (ipsec0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

[feld]

Confirming I can reproduce this as well.