TL,DR:
Queries to DNS server over IPSec made using host or dig work OK,
requests made by e.g. ping exit the enc0 interface but don't show up on
enc0 on the other end.
Hi all
I'm puzzled by some weird stuff happening with DNS queries over IPSec. I
have a fully working tunnel over a roaming laptop and our network. The
laptop gets its IP and DNS resolvers via DHCP and sets up a route to
192.168.16.0/22 over IPSec with NAT:
ike dynamic esp from 192.168.19.3 (egress) to 192.168.16.0/22 \
peer vpn.foo.bar \
srcid laptop.foo.bar dstid vpn.foo.bar
All works fine, I can ping, SSH, http, etc machines on 192.168.16.0/22,
as long as I use their IP addresses. However, if I change the laptop's
resolv.conf to use our DNS server (nameserver 192.168.16.2) weird things
happen.
If I use host or dig to query our server, I can see the DNS requests and
answers pass correctly on the enc0 interfaces of both endpoints.
However, if I try to do something like "ping -c 1 www_lan.foo.bar" (or
e.g. ssh) I can see the packets with the DNS request pass through enc0
on the tunnel (and on the physical interface too) but nothing traffic
shows up on enc0 on the other endpoint (I do believe they show up on the
physical interface on that end, but my tcpdump foo isn't good enough to
be sure).
Again, all other traffic works fine, routing tables look ok, AFAICT pf
isn't blocking anything, the laptop is running Dec 9 -current (amd64)
and the other endpoint is running 5.4-release w/ mtier binpatches (i386)
(planning to upgrade within a couple of days), and most importantly,
both host and dig have their queries properly answered.
Does anyone have any idea of what is going on? Apologies in advance if
important information is missing, and/or this is a known problem and an
upgrade to 5.6 is enough (I briefly STFA and didn't find it, though).
Cheers
Zé
--
