Router Site to Site VPN

Answered Question
May 8th, 2007

I have been working with setting up a Site to Site VPN and while I can get the tunnel setup and am able to ping across the tunnel. I am unable to use the DNS server from the remote side of the tunnel. I can ping the server and otherwise access via tcp/ip but if I try to use nslookup our ping it via name it will not resolve over the IPSEC configuration. I have tried adding the domain information to the PC DNS configuration and I can then ping the server by name but NSlookup is still unusable. I have also tried using the Easy VPN server / Client method on the routers. I am able to use the VPN client on a PC and initiate a connect from (the Internet) and I will get DNS information from the primary site and all is fine. But using the Router client on the other side I cannot resolve DNS over the connection. Here is a brief Config Example.

Router A - Main Site

Internal Lan - 172.16.1.x

Router B - Site B

Internal Lan - 172.16.3.x

I have been able to ping across the subnets but internal DNS resolution isn't working for me. I can post more detailed configs if necessary.

Thanks

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 6 months ago

Dwane

I did not answer the question about having both GRE tunnels and Easy VPN server initially because I have not done that and can not say authoritatively whether the combination works or not. My opinion is that it should work. I do not know of anything that would prevent the combination from working. Perhaps someone with experience with this or someone from Cisco can speak to this issue.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Tue, 05/08/2007 - 13:27

Dwane

It is difficult to diagnose the problem from the information given. My guess based on the information available is that the DNS request (or perhaps the DNS response) may not be sent through the VPN. If you would post the VPN configuration (especially including the access lists used to identify traffic to be protected by IPSec) it might be helpful.

HTH

Rick

carrollecc Wed, 05/09/2007 - 03:30

I have been working with using a GRE IPSEC tunnel since my post. This has allowed DNS traffic to pass correctly and for the most part is working as planned. However when I use SDM to test the tunnel I am presented with a failure reason that a ping with the data size of this vpn interface mtu and 'Do not fragment' bit set to the other end vpn device is failing. I have tried the crypto ipsec df-bit clear command under the applicable tunnels. This is currently on my bench with just an ethernet cable from the wan port of one router and going into the other. So it's suggestion of calling my ISP administrator isn't really applicable. Any suggestions?. Also can I run a ezvpn server on this router at the same time so I can support external ezvpn clients?

Thanks

Dwane

Richard Burts Wed, 05/09/2007 - 05:14

Dwane

If DNS did not work on an IPSec tunnel and does work on a GRE/IPSec tunnel it would be consistent with my theory that the access list which identified traffic for IPSec was not properly including the DNS traffic.

Since GRE and IPSec both add extra headers to the IP packet it is normal that ping would fail if set to DF and packet size matching the interface MTU.

HTH

Rick

carrollecc Wed, 05/09/2007 - 09:21

I really appreciate your responses. As I asked in my earlier post. Can I run the EasyVPN server on the same router so that remote workers can use their laptops to tunnel into the main network. Ultimately we would have two GRE tunnels from two offices and then need the EasyVPN server for remote workers from their homes etc. Also I cannot find any way to add PPTP functionality via SDM. Does cisco support PPTP on their router still? I have a Brand New 1841 with Advanced IP services and two 871 with Advanced IP services that will comprise the primary network. Currently the remote workers use PPTP to connect into the network but I'm not opposed to using Easy VPN Server / Clients for that functionality

Correct Answer
Richard Burts Wed, 05/09/2007 - 09:43

Dwane

I did not answer the question about having both GRE tunnels and Easy VPN server initially because I have not done that and can not say authoritatively whether the combination works or not. My opinion is that it should work. I do not know of anything that would prevent the combination from working. Perhaps someone with experience with this or someone from Cisco can speak to this issue.

HTH

Rick

Actions

This Discussion