IPSEC DNS VPN do not Work

Question

FullGate OP

Created Jan ’18

Replies 1

Boosts 0

Participants 2

Good day.

I have an issue with MacOS native VPN client.

As VPN gateway I use Cisco Asa.

I connected to VPN but MacOS use local provider DNS primary.

Output of cat /etc/resolv.conf

# This file is automatically generated.

#

nameserver 8.8.8.8

scutil --dns

resolver #1

nameserver[0] : 8.8.8.8

if_index : 8 (en0)

flags : Scoped, Request A records

reach : 0x00000002 (Reachable)

resolver #2

nameserver[0] : 10.1.1.1 \\ My internal DNS

if_index : 17 (utun1)

flags : Scoped, Request A records

reach : 0x00000003 (Reachable,Transient Connection

If I send request like

dig ya.ru @10.1.1.1

; <<>> DiG 9.9.7-P3 <<>> ya.ru @10.1.1.1

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32511

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;ya.ru. IN A

;; ANSWER SECTION:

ya.ru. 157 IN A 87.250.250.242

;; Query time: 50 msec

;; SERVER: 10.1.1.1#53(10.1.1.1)

;; WHEN: Wed Jan 10 18:58:13 MSK 2018

;; MSG SIZE rcvd: 50

It answer correctly,so main question why MacOS use local DNS instead DNS from VPN

p.s. If set DNS manually in MacOS client setting - it do not work the same way

p.p.s If I use ubuntu with vpnc client IPSEC\ikev1 - it works fine

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’18

I have an issue with MacOS native VPN client.

Alas, you’re asking for help in the wrong place. DevForums is a place to discuss developer-level issues, like Apple’s developer tools and the APIs in our various platform SDKs. It’s not the best place to seek user-level help, even when the issue is really complex like this one. You should repost your question over on the Apple Support Communities, run by AppleCare. Alternatively, you can escalate this via an official AppleCare support channel [1].

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Normal AppleCare support channels can’t help you with on-the-wire VPN compatibility issues, but AppleCare offers a variety of paid-for support options that do. I don’t work for AppleCare, and thus am not able to discuss those options in detail, but I figured you might find the following links useful:

0