IKEv2 VPN not seeing local DNS

I've got a M290 running the latest firmware (12.9.4) and up until about 3 days ago I had a working IKEv2 Mobile vpn working properly.

Now when I log in the remote user isn't getting the local DNS server at all. I've setup logging on both the DNS and Allow.IKEv2 policy and the only DNS requests I can see are to DNSWatch or other public DNS server. I get no name resolution whatsoever when connected to the VPN.

Through testing I've set the VPN to use the network configuration and specified the DNS servers directly within the VPN configuration. I've tried split tunneling, and I've tired forcing all traffic through the tunnel (our preferred method). All with the same result.

I've restarted servers and firebox. Verified DNS is working internally but I can't get any joy on the mobile VPN.

captured data using "-i vlan20 -n host XXX.xxx.XXX.xxx" doesn't even register the VPN ip address in wireshark.

It's as though the Mobile VPN doesn't see the anything on the local network.

Comments

  • Local network meaning ? Local to the Firebox or local to the PC?

    Is DNSWatchGo installed on the VPN client PC?
    Or some other software which may affect the DNS resolver IP addr?

    What is shown from a CMD box "ipconfig /all"

    Mine shows:
    PPP adapter WG IKEv2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WG IKEv2
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.114.1(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 0.0.0.0
    DNS Servers . . . . . . . . . . . : 8.8.8.8
    NetBIOS over Tcpip. . . . . . . . : Enabled

    The DNS server shown is the one specified on the Mobile VPN with IKEv2 setting, and is not the default for my PC or for the firewall.

    I do not have DNSWatchGo installed nor is DNSWatch enabled for my trusted network.

    I'm running V12.9.4 on my Firebox

  • Sorry realized that might be confusing after the fact. Local to the firebox.

    DNSWatchgo is not installed on the device

    Currently working in the office right now and I can't test using a PC and I'm using strongSwan atm to connect and troubleshoot. But multiple PCs expereinced the same thing. I can post ipconfig later today

  • Here's the ipconfig for the connection. It lists the proper dns servers, but still doesn't go. In this case I have one dns server local to the firebox and 8.8.8.8 set in the DNSWNS config for the network. I cannot see anything inside the firewall and windows lists the network as a public network not a domain network.

    I have another connection to another office set up the same way with the firebox's local dns set first and then google set within the DNS/WNS configuration page and it reports the similarly to what's below but works correctly.

    PPP adapter HeroldVictoria:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : HeroldVictoria
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.28.1(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 0.0.0.0
    DNS Servers . . . . . . . . . . . : 192.168.20.90
    8.8.8.8
    NetBIOS over Tcpip. . . . . . . . : Enabled

  • What type of name resolution is being tried?
    FQDN or short names?
    If short names, then you need to have the appropriate entry in Connection-specific DNS Suffix, such as mycompany.net or whatever to get the proper name resolution on your internal DNS server.

    What does logging on your internal DNS server show?

  • I think I have discovered the issue

    I had put in a BOVPN tunnel for accessing a group of workstations using the ANY IP option of the remote end of the tunnel. Removing the tunnel seems to have rectified the issue. I can now resolve names using nslookup, with both short and fqdn lookups.

    Thank you for the help, the ahh-ha moment was looking at changing the IP range back to the default 114.0/24 subnet to mimic what you had posted.

Sign In to comment.