[7.450][INFO] iPhone VPN Client still doesn't receive DNS server info

All,

I know there are multiple threads out there on this topic, but on going through them I'm not sure if there's a way to get the iPhone Cisco VPN client to have DNS information fed to it from ASG. I was just testing with 7.450 just in case this had been addressed, and unfortunately I see the same behavior as 7.402; once connected I can hit internal machines by IP address, but the iPhone receives no DNS server information and therefore cannot resolve any FQDNs meaning no Internet access while connected to the VPN.

Given this was a feature introduced in 7.4, and it is clearly intended to work with the iPhone, is there a way to get the DNS information over to the iPhone, or is this an ongoing issue that Astaro is aware of and is working on? I've not tried hitting an actual Cisco device from the iPhone, but gauging from other posts I get the impression that a Cisco is able to pass DNS info to an iPhone successfully.

Thanks,
Martin.

Parents

0 BAlfson over 16 years ago

Martin,

This is not an Astaro issue. It's an Apple design choice. The problem is that Mac and iPhone reserve .local for use with things like Bonjour. That makes the local network at my office to appear to be unserved by DNS.

If you are having difficulty getting resolution for other networks, then there's probably a configuration issue.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to BAlfson

Thanks - I saw your previous thread about .local and wasn't sure if anyone had found a way around it. The thing that strikes me as odd is that DNS server info is sent to the iPhone just fine for PPTP and L2TP connections; this effect seems limited to the Cisco VPN client.

In my case I'm unable to resolve anything once connected via the iPhone. Attempting a ping via iStat returns an error for any hostname/FQDN I enter, whether they're on the internal network or out on the Internet.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BAlfson over 16 years ago in reply to MarCow

You are correct, that's a different issue, and I think it predates V7.450.

I use L2TP over IPsec, so am able to take advantage of the settings on the 'Advanced' tab of 'Remote Access'.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MarCow over 16 years ago in reply to BAlfson

Thanks - maybe I'll just switch to L2TP, although for some reason I just like the idea of using the Cisco client from my iPhone, probably just because it's there.

Do you know if the same issue with .local occurs when using the iPhone Cisco client to connect to an actual Cisco ASA or other box that supports it? If so, then that proves once and for all that it's purely an iPhone limitation and nothing to do with ASL.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Cath over 16 years ago in reply to MarCow

This problem occurs on the apple iphone forums. Exists Cisco client to Cisco VPN concentrators or to Cisco ASA. Looks like common answer on the thread was that if you want DNS when you connect over a VPN to use the L2TP connection instead of the Cisco

Apple - Support - Discussions - iPhone 3G VPN client not getting DNS ...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BAlfson over 16 years ago in reply to Cath

Actually, I use split tunnel with L2TP over IPsec. I haven't tried DNS through the tunnel.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 d12fk over 16 years ago in reply to BAlfson

The IKE daemon we're currently using lacks support for pushing DNS/WINS server information to vanilla IPsec clients. The iPhone is just one of them. I thought that it would work for it as well once we upgraded strongswan to 4.3.x, but after reading the Apple forum thread from above I'm not so sure anymore. Anyways, other IPsec clients will benefit from the better MODECFG support. Maybe the iPhone client will be fixed by Cisco in a future firmware version and there still is a fair chance that it will work with the new strongswan if you look at it optimistically. =)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 d12fk over 16 years ago in reply to BAlfson

The IKE daemon we're currently using lacks support for pushing DNS/WINS server information to vanilla IPsec clients. The iPhone is just one of them. I thought that it would work for it as well once we upgraded strongswan to 4.3.x, but after reading the Apple forum thread from above I'm not so sure anymore. Anyways, other IPsec clients will benefit from the better MODECFG support. Maybe the iPhone client will be fixed by Cisco in a future firmware version and there still is a fair chance that it will work with the new strongswan if you look at it optimistically. =)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 BAlfson over 16 years ago in reply to d12fk

I configured L2TP on my iPhone to "send all traffic" through the tunnel. I get DNS resolution for everything outside the .local network.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 d12fk over 16 years ago in reply to BAlfson

That's because L2TP uses PPP IPCP to assign the client an IP address and DNS/WINS server information. Vanilla IPsec clients have to rely on MODECFG, a Cisco IKE extension, for that. Currently the MODECFG support in strongswan does not include assigning DNS/WINS server addresses. This will be the gained after the upgrade.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Astaro Beta Bot over 16 years ago in reply to d12fk

Astaro Beta Report
--------------------------------
Version: 7.450
Type: INFO
State: NONE
Reporter: MarCow
Contributor: 
MantisID: 
--------------------------------

0 chow11 over 16 years ago in reply to d12fk

That's because L2TP uses PPP IPCP to assign the client an IP address and DNS/WINS server information. Vanilla IPsec clients have to rely on MODECFG, a Cisco IKE extension, for that. Currently the MODECFG support in strongswan does not include assigning DNS/WINS server addresses. This will be the gained after the upgrade.

With which version of ASG will this upgrade happen? with 7.470 and CiscoVPN (not iPhone), DNS is still not coming through.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 d12fk over 16 years ago in reply to chow11

We'll upgrade during V8 development. We don't know for sure when V8 will be released, but the functionality should be available for evaluation in the first V8 beta around christmas.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel