Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IPSec Site-to-Site

I have configured IPSec site-to-site tunnel btw. cisco router and Cisco VPN Concentrator and everythink OK. I have a question, now if the clients behind Cisco router wants to access private site behind VPN Concentrator, they will use its name, but they can't because they need first to establish a tunnel, but this tunnel will not be established cause no public DNS server will resolve this private web server. How can we solve this issue?

Thanks in advance

21 REPLIES
Community Member

Re: IPSec Site-to-Site

Hi,

Just want to clarity with you that if there is a need still for this, as the user behind the router can use the lan-lan vpn between the router and the cvpn.

Community Member

Re: IPSec Site-to-Site

Hi,

Yes, i read many documents but still did not find a good solution.

Gold

Re: IPSec Site-to-Site

maybe installing a dns server on the remote end is an answer

Community Member

Re: IPSec Site-to-Site

No, I'm asking how the client gets the remote site ip address before establishing the IPSec site-to-site tunnel to let the ios check if this ip address is permitted to establish a tunnel or not.

Gold

Re: IPSec Site-to-Site

dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2

when a lan1 user clicks off an application that has a lan2 hostname as a destination, it sends a dns request to the local dns server. the server then responses with the a lan2 ip, which the router will be able to determine whether the tunnel should be initiated or not. making sense?

Community Member

Re: IPSec Site-to-Site

No dns server at lan1, lan1 user type a hostname and the IOS must determine first (before establishing a tunnel) if this hostname ip address is permitted to establish a tunnel or not.

Do you have an idea who the IOS do this?

Silver

Re: IPSec Site-to-Site

Is there a DNS Server at the remote end atleast ? I have also heard you can do a local mapping but iam aint sure how

Community Member

Re: IPSec Site-to-Site

sure.

Gold

Re: IPSec Site-to-Site

dns server <--> lan1 <--> router <--> www <--> concentrator <--> lan2

on the router, configure

ip name-server

ip forward-protocol udp 53

ip forward-protocol

To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command.

then include the router wan ip as part of the lan-lan vpn.

in theory,

1. lan1 user kicks off the app by hostname

2. router tries to resolve the name by contacting the dns

3. since router wan ip is part of the lan-lan vpn, the vpn should be initiated

4. bingo lan1 user gets in

let me know if this works as i've never try this before

Silver

Re: IPSec Site-to-Site

Yeah i think that will work. Include the DNS server in your IPSec traffic, DNS request will get forwarded to the remote end DNS server. So your DNS query will trigger the tunnel. But for this , a DNS server is needed at the other end atleast

Community Member

Re: IPSec Site-to-Site

Hi jackko,

Thank you. Let us say the following:

DNS public --> 1.1.1.1

DNS LAN2 ip address --> 10.5.5.5

LAN1 users configured for 1.1.1.1 DNS at this time, they must be configured for 10.5.5.5? But this will make the session active all the time since all the dns requests will be checked through this private DNS at LAN2.

I need from the IOS to check the ip address for any hostname if it is from the LAN2 ip addresses then this will trigger the site-to-site IPSec session, otherwise keep this session inactive and forward it to the internet. Is this possible?

Gold

Re: IPSec Site-to-Site

not sure if it's possible. however there are cisco experts reading this forum every seconds around the world and no one seems suggesting the ios code. so maybe it's not very straight forward.

wondering how many user are we talking about. if only a few, maybe edit the local host file on the pc is an option.

Gold

Re: IPSec Site-to-Site

just wondering how you go. figured out a workaround?

Community Member

Re: IPSec Site-to-Site

Hi Jackko,

The best solution till now is to let LAN1 clients get LAN2 DNS (i configured DHCP at LAN1 router). This make the IPSec session to be active all the time.

238
Views
0
Helpful
21
Replies
CreatePlease to create content