I am troubleshooting dns issues with apple products on our corporate network. We are seeing a problem where windows users can resolve short-name dns just fine but users on apple products can not (Iphone, Ipad, Mac). To start I am troubleshooting with a mac, but I am not seeing any packets go across the VPN when I try to start a wireshark from it.. From the if config command I've gathered via ip that the tunnel is being generated off of the interface "utun1". When I start a packet capture off of that interface I see no packets, I've generated traffic by pinging devices on the corporate network... etc, I am not seeing anything. Similarly, I have tried generating a packet capture off of the en0 interface, which is the interface my ethernet cord is plugged into. I see plenty of traffic go through, but nothing through the VPN. I can see dns queries come into the DNS server on our corporate network from my computer when I am attached to the vpn, but my local wireshark capture does not see packets going out to the DNS server. I was wondering if anyone knows exactly how this works on OSX. Is it possible that everything is being encapsulated before it hits en0 or the VPN interface, and thus, no packets are displayed because they are already tunneled? I am running Mac OSX Lion version 10.7.3 Thanks for your help and time! asked 30 Mar '12, 09:10  PhillSimonds |
One Answer:
Are you certain of that? Is there also an interface named, for example,
Again, with Apple's VPN software, the VPN traffic will show up as, for example, ESP traffic on the Ethernet or Airport interface, so it'll already be encapsulated. I don't know what other VPN software does, but it's probably similar. answered 30 Mar '12, 13:10  Guy Harris ♦♦ |
I am seeing this output from the ifconfig command
utun1: flags=8051<up,pointopoint,running,multicast> mtu 1280 inet 10.105.135.224 --> 10.105.135.224 netmask 0xffffff00
This and en0 are the only two interfaces that show IP addresses off of them. I am using Apple's built in VPN Client found under network preferences, but It is conecting to a cisco ASA and using Cisco IPSEC as its tunneling protocol. I don't have a ppp interface being displayed under the ifconfig command or in the interface list under wireshark... I have a p2p0 but as I understand it, that is a completely different tunneling protocol then IPSEC.
We resolved the DNS issue, so no further troubleshooting is needed. Thank you for all of your input, hopefully this will help someone else.
Thanks!
I seem to remember that somebody once noted that, on OS X, Cisco VPNs don't make the VPN traffic available for sniffing, so it's fortunate that you were able to debug the problem without a traffic capture. I also seem to remember that the
utundevices don't carry the decrypted traffic, just some sort of control traffic, and that the decrypted traffic passes to the IP stack without passing through a pseudo-interface, making it un-sniffable.