871 ezvpn and 3015 vpn concentrator

Unanswered Question
Mar 13th, 2007

I have an ezvpn connection setup on an 871 router with a vpn 3015 as the server. I'm using the same group name and shared key that is used by software vpn clients so I know the tunneled networks and split dns are configured correctly on the concentrator. The tunnel comes up fine and passes traffic. I'm having issues with DNS. The concentrator is pushing the defined DNS servers to the router in the ip dns view ezvpn-internal-view as below:

ip dns view ezvpn-internal-view

domain name-server <removed>

domain name-server <removed>

I have attached the config. All DNS queries appear to be passed to the DSL modem on the WAN side of the router. Since the WAN interface is assigned it's IP address by the DSL modem I understand that, but I'm not sure why the split DNS isn't working.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsmarcyes Tue, 03/13/2007 - 10:23


I'm not sure about your question, but I'm having a problem with the same setup that you have. I have an 871 and 3000. My 871 config looks almost the same as yours, however, I didnt see your NAT statement, just the ip nat inside and ip nat outside. Where is the rest of the NAt config. Are you able to ping addresses at you headend from your vlan1? Could you tell me how you set up your 3000? Obvioulsy the group and users are pretty basic. I'm talking more about your ike policies and ipsec protocols.

David Niemann Tue, 03/13/2007 - 11:54

I basically used the same group name and key as my software clients so that the hardware client "should" receive the same settings. Everythings works fine except for DNS. I can ping things by IP and I get the proper split tunneling network list and DNS server settings from the concentrator. As for the ike and ipsec policies I'm using ESP-3DES-MD5 for the IPSec SA and IKE-3DES-MD5 for IKE

tsmarcyes Tue, 03/13/2007 - 21:51

Yea, I did basically the same thing, but for some reason my hosts' cant ping any other hosts on the other side of the tunnel. The loopback gets an IP from the concentrator and if you do an extended ping from that loopback, it works just fine. It just doesnt work from any of the hosts or the vlan1 interface. Did you have to do any special route or anything to route your hosts' packets across the tunnel?

tsmarcyes Tue, 03/13/2007 - 21:54

Yea, I did the same thing but for some reason, I cant ping from any of my hosts or even the vlan1 interface. The loopback gets an Ip from the concentrator and the tunnel comes up just fine. If i do an extended ping, from the loopback, the ping works just fine. Just not from any of my hosts or the vlan1 interface. Did you have to do any special route or anything?

David Niemann Wed, 03/14/2007 - 05:09

Nope, my config is as you see attached above. Are you sure all your routes on your internal network are set up for the concentrator assigned IPs? If the IPs the clients receive aren't part of your internal network you will have to have some routes for the concentrator pool pointing to the inside interface of the concentrator. That's why I used the same group name and shared key that my software clients use so that I would not have to add routes for IPs.

tsmarcyes Wed, 03/14/2007 - 19:27

yea...like i said..the ip i do get from the concentrator goes to the loopback, and i can ping from there just fine. its just any hosts or the vlan1 interface.


This Discussion