RW IKEv2 with RSA - DNS not resolving

dmelnik · May 15, 2018, 9:19am

The setup:
Followed the setup example @ https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=rw-conf static-dns=8.8.8.8,1.1.1.1 system-dns=no

Problem:
I am establishing successfull connection to my router via ikev2 VPN with the generated certificate, but i can’t access any websites. I do have ping to the IP of the domain and
traceroute goes through as it should, but the dns is not resolving.

Example:
When VPN is active and connected
Pinging x.x.x.x with 32 bytes of data:
Reply from x.x.x.x: bytes=32 time=12ms TTL=60

Tracing route to x.x.x.x over a maximum of 30 hops

1 8 ms 7 ms 8 ms def-gateaway x.x.x.x
2 12 ms 42 ms 12 ms ips x.x.x.x
3 13 ms 12 ms 13 ms 178.132.83.58
4 * 13 ms * 178.132.83.58
5 12 ms 12 ms 12 ms 78.128.126.162
6 12 ms 13 ms 12 ms destination x.x.x.x

In Chrome:
DNS_PROBE_FINISHED_NO_INTERNET

Why the dns isn’t resolving the domain?

sindy · May 15, 2018, 7:22pm

can you ping 8.8.8.8 and 1.1.1.1 from the client?

dmelnik · May 17, 2018, 6:21am

Yes, no problem pinging addresses.

sindy · May 17, 2018, 6:58am

Weird. Can you try all of the following and post the results?

use only one DNS server address in the mode-config settings
change system-dns in mode-config to yes and remove the server addresses from static-dns completely as the system (RouterOS) servers are the same like the ones you want to push to the clients
set system-dns=no and configure server IPs different from the system ones, like static-dns=8.8.4.4,9.9.9.9

dmelnik · May 17, 2018, 7:28am

Great, it worked! So is the problem that im using multiple DNS servers for IPSec or the DNS server matches the system DNS server? Is it a known issue or exception in my config?
Than you so much!

sindy · May 17, 2018, 8:28am

I don’t know the answers to your questions because you haven’t provided the result for each of the individual variants I’ve suggested.

To make it a support case, it is necessary to have these individual results, as mere “it worked” does not reveal what is actually wrong.