cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
0
Helpful
6
Replies

871 ezvpn and 3015 vpn concentrator

David Niemann
Level 3
Level 3

I have an ezvpn connection setup on an 871 router with a vpn 3015 as the server. I'm using the same group name and shared key that is used by software vpn clients so I know the tunneled networks and split dns are configured correctly on the concentrator. The tunnel comes up fine and passes traffic. I'm having issues with DNS. The concentrator is pushing the defined DNS servers to the router in the ip dns view ezvpn-internal-view as below:

ip dns view ezvpn-internal-view

domain name-server <removed>

domain name-server <removed>

I have attached the config. All DNS queries appear to be passed to the DSL modem on the WAN side of the router. Since the WAN interface is assigned it's IP address by the DSL modem I understand that, but I'm not sure why the split DNS isn't working.

6 Replies 6

tsmarcyes
Level 1
Level 1

David,

I'm not sure about your question, but I'm having a problem with the same setup that you have. I have an 871 and 3000. My 871 config looks almost the same as yours, however, I didnt see your NAT statement, just the ip nat inside and ip nat outside. Where is the rest of the NAt config. Are you able to ping addresses at you headend from your vlan1? Could you tell me how you set up your 3000? Obvioulsy the group and users are pretty basic. I'm talking more about your ike policies and ipsec protocols.

I basically used the same group name and key as my software clients so that the hardware client "should" receive the same settings. Everythings works fine except for DNS. I can ping things by IP and I get the proper split tunneling network list and DNS server settings from the concentrator. As for the ike and ipsec policies I'm using ESP-3DES-MD5 for the IPSec SA and IKE-3DES-MD5 for IKE

Yea, I did basically the same thing, but for some reason my hosts' cant ping any other hosts on the other side of the tunnel. The loopback gets an IP from the concentrator and if you do an extended ping from that loopback, it works just fine. It just doesnt work from any of the hosts or the vlan1 interface. Did you have to do any special route or anything to route your hosts' packets across the tunnel?

Yea, I did the same thing but for some reason, I cant ping from any of my hosts or even the vlan1 interface. The loopback gets an Ip from the concentrator and the tunnel comes up just fine. If i do an extended ping, from the loopback, the ping works just fine. Just not from any of my hosts or the vlan1 interface. Did you have to do any special route or anything?

Nope, my config is as you see attached above. Are you sure all your routes on your internal network are set up for the concentrator assigned IPs? If the IPs the clients receive aren't part of your internal network you will have to have some routes for the concentrator pool pointing to the inside interface of the concentrator. That's why I used the same group name and shared key that my software clients use so that I would not have to add routes for IPs.

yea...like i said..the ip i do get from the concentrator goes to the loopback, and i can ping from there just fine. its just any hosts or the vlan1 interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: