06-28-2001 06:17 AM - edited 03-08-2019 08:25 PM
Hello,
has anyone got IPSec + mode config with internally assigned addresses going and solved the problem with DNS, i.e. how is the DNS of the internal network conveyed to the client?
In a Cisco support document it says:
"Mode config can also forward WINS and DNS information to the client, although initially the internal IP addresses of those services must be statically configured on the client PC to ensure that clients can access any internal resources."
Is this feature supported yet (and with which IPSec client) and if not, can we expect it some time soon?
Regards
Dirk
PS: We are using a 2620 but I suppose the subject is also relevant to PIX.
07-03-2001 11:42 AM
Id suggest using an internal private WINS/DNS solution for your VPN clients.
Hope this helps!
07-04-2001 12:11 AM
Thanks, but could you elborate? What would such a solution look like?
Cheers
Dirk
07-06-2001 04:06 PM
If you setup a WINS & DNS on your internal network that resolves your internal clients, it needs to be a private zone that doesnt replicate with your public DNS. Then have your internal DNS grab external addresses when requested. Those internal WINS & DNS Servers are what you should configure for your VPN clients and your local hosts (via DHCP or whatever. Our domain administrator is a consultant and set this up for us but thats my understanding of how it works. I would think Cisco can help you with the Router or PIX and client configs.
07-09-2001 01:56 AM
Thank you for replying. My original question was actually about configuring the clients (or the router), not the name servers. I suppose in most VPN scenarios people will use their existing name server setup.
As you say we have to configure the clients somehow ("via DHCP or whatever") but this is what Cisco mode config is designed for, but in my opinion it cannot do much more than assigning internal IPs, and not DNS/WINS.
Interestingly the IETF has turned down mode config (aka IKECFG) as a proposed standard and will concentrate on integrating DHCP. The bad news is that we'll have to wait for vendors to change their clients, the good news is that a standard is on the way which doesn't require much change in infrastructure etc.
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-13.txt
Dirk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide