DNS via IKEv2 on iOS

bekax5 · October 21, 2023, 11:00pm

Hello friends,

I have a configured IKEv2 server running on my 3011 to which I connect remotely from an iOS and it grants me links to several internal networks and other VPNs..
Now my question is, how can I make sure iOS uses the static-dns from ipsec mode config ?

[admin@MikroTik-RB3011] /ip ipsec mode-config> print
Flags: * - default, R - responder 
 0 *  name="request-only" responder=no 

 1  R name="ikev2-config" system-dns=no static-dns=192.168.1.250 
      address=192.168.200.199 address-prefix-length=32 
      split-include=192.168.0.0/1

[admin@MikroTik-RB3011] /ip dns> print
                      servers: 1.1.1.1,208.67.222.222
              dynamic-servers: 
        allow-remote-requests: yes

For now it seems that no requests are going into the router itself.
Nor can I connect to internal devices via their fqdn which is in the router’s static dns. Only via IP…

almdandi · October 22, 2023, 1:19pm

Hey,

here a quote from the IPsec Wiki

Both Apple macOS and iOS will use the DNS servers from system-dns and static-dns parameters only when 0.0.0.0/0 split-include is used.

Kentzo · October 22, 2023, 11:01pm

I cannot say whether iOS / macOS supports INTERNAL_IP4_DNS / INTERNAL_IP6_DNS alone, but it does work for me when used together with INTERNAL_DNS_DOMAIN via a strongSwan responder.

I suggest to run an IKEv2 responder elsewhere (or containerize) using other software as RouterOS’s implementation based on mode config is dated.