Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSec VPN name resolution issue

Status
Not open for further replies.
analogia22

analogia22

IS-IT--Management
Mar 9, 2004
49
US
I have a 3Com SS3 FW connected to my T1 Netopia router. I have configured a IPSec only VPN for users on Win2k/XP to remotely connect with. Win2k users use the SafeNet VPN client and WinXP users use the 3Com IPSec VPN utility (which is a front end app that uses the WinXP IPSec native components). Everything was working great until yesterday morning. Now VPN users cannot get any name resolution for any LAN node but IP works fine.
The recent changes that I have done are:
taken down my WINS server, changed the VPN (laptop) users to members of the domain (they were on workgroups before), changed their POP e-mail to use our new Exchange 2003 server instead in Outlook 2003 and replaced Norton Antivirus 2002 with Trend Micro OfficeScan 6.0.
I have since re-installed my WINS server and put in static entries of them in the laptop user's TCP/IP properties. I have also verified that the VPN policy is enabled to allow NetBIOS traffic.
Does anyone have any thoughts? I am baffled.
 
Sort by date Sort by votes
Thanks mattwray for responding.
The clients are looking at their IPS's DNS server which is what I want. The name resolution should be working by the WINS server passing NetBIOS over the VPN. I don't believe you can have it use the LAN DNS server.
 
Upvote 0 Downvote
Worst case senrio you can create a script to copy a host and lmhost file to the workstations with all the entries you need. This could be a bandaid for you until you get everything working right.
 
Upvote 0 Downvote
You can and I would have them use internal DNS. W2k and XP want to use DNS not WINS for name resolution. I'm not sure how you made it work before, but you need them to use and internal DNS server that has fowarders to the ISP DNS.

We have a 6 site router-to-router VPN backup to our Frame WAN, and I can attest this not only works fine, but it is the preferred way...

Thanks,

Matt Wray

GFH

 
Upvote 0 Downvote
Mattwray,
Are you saying to statically enter the IP of the internal DNS server into the clients TCP/IP properties? If so then the public IP or the private IP?

I thought of this but someone told me that even if it does work, it will slow things down and its a cheaters way out.
I am sure there will be a delay but its probably in the milli seconds and won't be noticable by the end-user.

Before, we had a domain called "subdomain.company.com" and created an NS record on our public DNS server for that subdomain pointing to the internal DNS server. This was before me and before there was a firewall, so every box had a public IP. Now we have a firewall, a new Win2k3 domain with a domain of company.local.

So what I considering doing was changing the primary DNS suffix on the DHCP scope and all of the boxes here with static IPs to the old "subdomain.company.com" and then have the company.local be the secondary DNS suffix. So when they're connected via VPN and they try and access a host name and not the FQDN it will automatically search that host name with the "subdomain.company.com" added to it.
I tried to do this yesterday during production without thinking it through and jacked everything up. I changed everything back. I still think it will work I am just not sure as to how to create the NS record.
Thoughts?
 
Upvote 0 Downvote
You would configure the DNS servers either through DHCP or statically.

If you have DC's at each site, install DNS and configure it to be AD-integrated. This will make each DC a DNS server for each site. They will all have the same zone information, and will replicate it along with your Domain info. This takes little overhead, and it is not cheating [?], though I am unsure what cheating would be in Network Administration.

You pretty much lost me on the second part, please clarify if need be. Try the going through the above and post back.

Thanks,

Matt Wray

GFH

 
Upvote 0 Downvote
Before, we had a domain called "subdomain.company.com" and created an NS record on our public DNS server for that subdomain pointing to the internal DNS server. This was before me and before there was a firewall, so every box had a public IP"...and all those public IP's were probably zone transfered to your PUBLIC DNS SERVER.

The "primary DNS suffix on the DHCP scope" should ONLY be your INTERNAL DNS (.local) You don't use any secondary because when your clients are away they aren't getting your DHCP anyway...

As part of the change to being members of a domain the hosts file changed or they are no longer pointing to your WINS server (look for a hosts.bak or lmhosts.bak to confirm this.) You can use a hosts file but getting the internal DNS forwarded is preferred.

You can ping by IP all around I expect, but by name fails so check if the remote clients are being registerd in the DNS server when they are away. From the server can you ping them by name?

I am not familiar with 3Com FW, but I am intimatly aware of Symantec products. There is a setting that must be turned on to pass DNS info to FW VPN clients. Does 3Com have this?

Alex

 
Upvote 0 Downvote
The 3Com firewall does have an option to pass DNS info to FW VPN clients. However this is good only if you're using an L2TP connection which I am not. IPSec alone (which is what I'm currently using) does not give the VPN client an IP address on the LAN and so it cannot retrieve those DHCP/DNS settings from the firewall. So the VPN client is stuck with the DHCP/DNS settings it gets from the ISP where ever they are (which could be anywhere). I tried an L2TP/IPSec VPN connection initially and found that none of the home DSL/Cable firewalls/routers the users had could support L2TP pass-through even though the manufacturer claimed that they could.

So I had to resort to an IPSec only group VPN connection. This only uses a shared secret and does not require any user authentication (something that I'm actively looking to replace).

Please let me know of any ideas for this.

I've considered putting some low-end box in the DMZ and using the Windows 2000 Server native VPN service and having it authenticate users to the PDC Emulator on the LAN. I haven't really looked into this all that much though. I'm not sure how much $ it would be to get MS ISA Server which would work great probably.

So with all of this said, do you still think that I should statically have each VPN client use my internal DNS server for any connection that they may have whether they're connected via VPN or not? i.e. they will use the ISP's DHCP from where ever they are to get an IP but will always use our internal DNS server for name resolution over-riding the ISP's DNS server.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
1K
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
790
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
667
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
670
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
650
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top