has anyone got IPSec + mode config with internally assigned addresses going and solved the problem with DNS, i.e. how is the DNS of the internal network conveyed to the client?
In a Cisco support document it says:
"Mode config can also forward WINS and DNS information to the client, although initially the internal IP addresses of those services must be statically configured on the client PC to ensure that clients can access any internal resources."
Is this feature supported yet (and with which IPSec client) and if not, can we expect it some time soon?
PS: We are using a 2620 but I suppose the subject is also relevant to PIX.
If you setup a WINS & DNS on your internal network that resolves your internal clients, it needs to be a private zone that doesnt replicate with your public DNS. Then have your internal DNS grab external addresses when requested. Those internal WINS & DNS Servers are what you should configure for your VPN clients and your local hosts (via DHCP or whatever. Our domain administrator is a consultant and set this up for us but thats my understanding of how it works. I would think Cisco can help you with the Router or PIX and client configs.
Thank you for replying. My original question was actually about configuring the clients (or the router), not the name servers. I suppose in most VPN scenarios people will use their existing name server setup.
As you say we have to configure the clients somehow ("via DHCP or whatever") but this is what Cisco mode config is designed for, but in my opinion it cannot do much more than assigning internal IPs, and not DNS/WINS.
Interestingly the IETF has turned down mode config (aka IKECFG) as a proposed standard and will concentrate on integrating DHCP. The bad news is that we'll have to wait for vendors to change their clients, the good news is that a standard is on the way which doesn't require much change in infrastructure etc.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :