VPN to Azure gateway connects but does not resolve addresses
I have set up a VPN to an Azure IKEv2 gateway following instructions from these sites:
I had originally used the StrongSwan Gui version but after checking found that none of the configuration mentioned in the cli version had been completed so I worked through the cli version. When I start the VPN I get no errors and I can see logs in syslog that indicate the connection is set up. When I browse to a page that I need the connection for I get an error page stating DNS error. It has connected on more than one occasion and I have used the page but then if I turn it off and start it up again it does not work. I haven't found a pattern for it working yet and seems to be genuinely random.
I am on Ubuntu Linux
inxi -S
System: Host: lg-MS-7A71 Kernel: 4.15.0-51-lowlatency x86_64 bits: 64 Desktop: Gnome 3.28.3
Distro: Ubuntu 18.04.2 LTS
inxi -i
Network: Card: Realtek RTL8111/8168/8411 PCIE Gigabit Ethernet Controller driver: r8169
IF: enp3s0 state: down mac: 30:9c:23:61:4b:25
WAN IP: 2.124.241.7
IF: enp3s0 ip-v4: N/A ip-v6-link: N/A
IF: docker0 ip-v4: 172.17.0.1 ip-v6-link: N/A
IF: wlxbcec23c34e3a ip-v4: 192.168.0.20 ip-v6-link: fe80::96fb:6e3b:1233:79dc
not sure if it is clear from that but I don't use the on board network card and instead have a usb wifi adapter installed.
lshw (irrelavant removed)
*-network:0
description: Wireless interface
physical id: 2
bus info: usb@1:8
logical name: wlxbcec23c34e3a
serial: bc:ec:23:c3:4e:3a
capabilities: ethernet physical wireless
configuration: broadcast=yes driver=rtl88x2bu ip=192.168.0.20 multicast=yes wireless=IEEE 802.11AC
I did try to switch to the on board network interface but that wasn't an improvement so I just kept trying to work on the wifi.
I have no idea what is wrong here but the connection is being made I am sure of it. When viewing the syslog I can see the subnet address I have been given from Azure which is also listed on the dashboard when I have connected. So it must be connecting except that if I ping the test address I have it does not resolve. That leaves the certificates or my configuration/set up. If the certificates were bad I would not connect (I don't think) so what do I need extra on my set up.
It is almost as though the connection is good but the link between my browser and the network doesn't recognise it. Is this possible?
[edit: more info] I have gone through this again with more detailed instructions and I an now sure that I am connecting to the azure vpn but I am not getting the dns servers added:
adding DNS server failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
installing new virtual IP 172.20.20.130
CHILD_SA dv0_vnet{1} established with SPIs cd6f6be2_i 8c59932a_o and TS 172.20.20.130/32 === 10.216.0.0/17 172.20.20.0/24 183.3.0.0/22 183.3.5.128/25 183.3.6.0/25
connection 'dv0_vnet' established successfully
Finally I have figured this out. The last problem I had was a DNS problem setting dns server from Azure gateway. To fix this I had to install resolvconf and configure it for dynamic updates.
I had to:
- install and configure strongswan (best instructions I found)
- set mss/mtu in the charon configuration (as mentioned in this post)
- Install & configure resolvconf (as in answer here)
- Set up network manager vpn (The graphical element for top right of menu)
when that is done I bring up the connection
sudo ipsec up <vpn name as in ipsec.conf>
start the network manager client
and then I can browse to my test site in the vpn.