L2TP/IPSec DNS split problem on Windows XP VPN client
I have a small problem connecting XP L2TP client to ASA5505 L2TP/IPsec VPN. I have internal and external IPs for the same domain. When I am on VPN I suppose to resolve the same domain name into internal IP and this is happening on Windows 7, but not on Windows XP. It seems like XP just ignores DNS split settings of VPN and keep using the default DNS servers for my domain. I think it should be a known problem or some known misconfiguration of L2TP on ASA appliance. Will appreciate any help! Thanks!
Re: L2TP/IPSec DNS split problem on Windows XP VPN client
As I am not familiar with your setup I'll just include some pointers hoping they can be of help / give some ideas :
- when L2TP over IPsec is configured on an ASA an if the 'default-domain value' is configured under the group-policy, you need to take into
account that PPP IPCP protocol did no use to support dns suffix option, thus it is not possible to provide L2TP, PPTP or any other PPP client with default domain. It's not a bug but PPP IPCP protocol limitation. As per RFC 1877, only DNS server and WINS server IP addresses are supported by IPCP for name resolution: http://www.ietf.org/rfc/rfc1877.txt
- regarding the above please also see the following documentation from Microsoft (February 20, 2007):
- I expect it works with Win7 as the above Microsoft document mentions that future releases of Windows server operating systems will be able to pass DNS domain names to RAS clients through a DHCP inform packet after the PPP and IPCP have converged.
- Sample config for split DNS tunneling with L2TP:
group-policy DfltGrpPolicy attributes wins-server value 18.104.22.168 dns-server value 22.214.171.124 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT default-domain value does.not.work.com split-dns value this.works.com intercept-dhcp 255.255.255.128 enable address-pools value VPDN1
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :