Project

General

Profile

Issue #921

UNITY_SPLITDNS_NAME omits first domain with multiple domains, appends p to end of last or only domain

Added by Chris Buechler over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
interoperability
Affected version:
5.3.0
Resolution:
No change required

Description

Start with a setup basically like this: https://www.strongswan.org/uml/testresults/ikev1/xauth-psk/

With the following in strongswan.conf:

attr {
    subnet = 172.16.1.0/26
    dns = 172.16.0.1
    split-include = 172.16.0.0/24
    # Search domain and default domain
    28674 = "split1.lan" 

    28675 = split1.lan
    28673 = 1
}

and your client will end up getting:

nesessionmanager[757]: IPSec Network Configuration: SPLITDNS-NAME[0] = split1.lanp.

with the p appended to what's actually configured.

The same issue exists when using multiple domains, though that shows a different issue where it sends null rather than the first domain in the list. Replace the config line with:

    28675 = split1.lan split2.lan split3.lan

and your client gets:

Apr  3 02:02:30  nesessionmanager[757]: IPSec Network Configuration: SPLITDNS-NAME[0] = (null).
Apr  3 02:02:30  nesessionmanager[757]: IPSec Network Configuration: SPLITDNS-NAME[1] = split2.lan.
Apr  3 02:02:30  nesessionmanager[757]: IPSec Network Configuration: SPLITDNS-NAME[2] = split3.lanp.

we have a bug open with logs and experiences from others. https://redmine.pfsense.org/issues/4418

The issue has existed in 5.2.x versions, and the above was on 5.3.0. No change in behavior from 5.2.x to 5.3.0 that I've noticed.


Related issues

Related to Issue #261: Split tunnel and CHILD_SAClosed08.12.2012

History

#1 Updated by Tobias Brunner over 5 years ago

  • Category set to interoperability
  • Status changed from New to Feedback

As far as I can tell this is a client issue, see #261.

#2 Updated by Tobias Brunner over 5 years ago

  • Related to Issue #261: Split tunnel and CHILD_SA added

#3 Updated by Chris Buechler over 5 years ago

It may be, I thought initially multiple clients were reported with the issue but not sure that's the case. OS X connecting to racoon also doesn't work, though it's non-functional in a somewhat different way. I'll give other VPN clients a try this weekend and report back. Thanks!

#4 Updated by Maxim Izergin about 5 years ago

Hi Chris,

I faced with this problem right after iOS7 update.
My workaround was to add empty ' ' value to the end of list.

Pg/SQL function looks like this:

---
  select array_to_string(array_agg(val_var), ' ')||' ' -- Fix iOS/OSx client bug with 'p' in the end
    into domains_f
    from attributes
    where up = app_f and
          typ = C_ITEM_TYPE_OnDemandRule_Domain;
    if length(domains_f)>0 then -- VPN has DNS domains
      return query(
      select app_id::varchar as id, CAST('User='||app_id as varchar) as UserName, 
      cast('CVPN3000-IPSec-Split-DNS-Names' as varchar) as Attribute,
      cast(domains_f as varchar) as Value,
      cast('=' as varchar) as Op);
    end if;
---

#5 Updated by Chris Buechler over 4 years ago

this was either resolved in a newer OS X or newer strongswan version. It no longer occurs with OS X 10.11 and strongswan 5.3.5, issue can be closed.

#6 Updated by Tobias Brunner over 4 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

this was either resolved in a newer OS X or newer strongswan version. It no longer occurs with OS X 10.11 and strongswan 5.3.5, issue can be closed.

OK, thanks for the feedback. Since there were no changes in the attr and attr-sql plugins since 5.3.0 I assume it was fixed in a recent OS X release.

#7 Updated by Chris Peden about 4 years ago

I have just setup a new pfSense install and I am seeing this bug again on version 2.3.1-RELEASE-p1. Happens regardless of unity being on or off. As someone in the comments says if you put in a dummy domain after your legit domain it works as expected because only the dummy domain is getting the weird appended character.

here is a example from my internal dns logs. as you see its appending to the domain name.
02-Jun-2016 15:43:52.785 client 192.168.10.1#57278 (bigfoot.peedy.homep\001): query: bigfoot.peedy.homep\001 IN A + (192.168.0.10)

this is on iOS 9.3.2

Also available in: Atom PDF