Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

L2TP/IPSec DNS split problem on Windows XP VPN client

I have a small problem connecting XP L2TP client to ASA5505 L2TP/IPsec VPN. I have internal and external IPs for the same domain. When I am on VPN I suppose to resolve the same domain name into internal IP and this is happening on Windows 7, but not on Windows XP. It seems like XP just ignores DNS split settings of VPN and keep using the default DNS servers for my domain. I think it should be a known problem or some known misconfiguration of L2TP on ASA appliance. Will appreciate any help! Thanks!

Everyone's tags (7)
1 REPLY
Cisco Employee

Re: L2TP/IPSec DNS split problem on Windows XP VPN client

Hi Anatoliy,

As I am not familiar with your setup I'll just include some pointers hoping they can be of help / give some ideas :

-  when  L2TP over IPsec is configured on an ASA an if the 'default-domain value' is configured under the    group-policy, you need to take into

account that  PPP IPCP protocol did no use to support dns suffix option, thus it is not possible to provide L2TP, PPTP or any other PPP client with default domain.  It's not a bug but PPP IPCP protocol limitation.  As per RFC 1877, only DNS server and WINS server IP addresses are supported by IPCP for name resolution:  http://www.ietf.org/rfc/rfc1877.txt

- regarding the above please also see the following documentation from Microsoft (February 20, 2007):

http://support.microsoft.com/kb/200211/

- I expect it works with Win7 as the above Microsoft document mentions that future releases of Windows server operating systems will be able to pass DNS domain names to RAS clients through a DHCP inform packet after the
PPP and IPCP have converged.

- Sample config for split DNS tunneling with L2TP:

group-policy DfltGrpPolicy attributes
wins-server value 1.2.3.4
dns-server value 5.6.7.8
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
default-domain value does.not.work.com
split-dns value this.works.com
intercept-dhcp 255.255.255.128 enable
address-pools value VPDN1

Best regards

Istvan
2925
Views
0
Helpful
1
Replies
CreatePlease to create content