Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > VPN: Site to Site and Remote Access
Reload this Page DNS not working in PPTP VPN
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Page 2 of 2 1 2
Reply
 
LinkBack Thread Tools Display Modes
  #11 (permalink)  
Old 06-18-2009, 09:40 PM
Junior Member
  
Join Date: Jun 2009
Posts: 16
Default
Since no dropped DNS packets were showing in the packet filter live log, I ran tcpdump on the ASG, tracing on interface ipsec0 shows that the DNS standard query A from the L2TP client is seen by the ipsec0 interface, and that the client tries both DNS servers that are configured in Remote Access - Advanced.

These are the same servers that are configured in Network - DNS - Forwarders, and there are no allowed networks in the Network - DNS - Global, since my DNS servers are running Active Directory. According to the text on that tab, this should prevent clients from using the ASG as a recursive DNS resolver.

Does anyone out there have any ideas why ASG is not forwarding DNS requests for the remote access client?
Reply With Quote
  #12 (permalink)  
Old 06-18-2009, 09:41 PM
Moderator
  
Join Date: Jul 2001
Location: southern California
Posts: 5,156
Default
What packetfilter rules did you setup for the VPN pool?

Barry
__________________
http://DealBert.net
Home & business end-user since v1.x
  • ASL 6.3x, HP DL145 Dual Opteron, 1GB RAM, 6 gigE NICs, 50-IP Platinum License
  • ASL 7.3x, Dell PE1550 Dual PIII 1GHz, 1GB RAM, 2 NICs, 50-IP Platinum License
  • ASL 7.5x, 17-watt fanless mini-ITX system: MSI IM-945GSE-A Atom n270, 2GB RAM, Morex T3310 case. 2 Intel GigE, 3 VLANs. 80G 5200rpm 2.5" HD
    Netgear GS108T gigE VLAN switch & Linksys WRT54G WAP
    Total network infrastructure: 27 watts. 100-IP Home User. FiOS 10mb/2mb
Reply With Quote
  #13 (permalink)  
Old 06-19-2009, 06:04 PM
Junior Member
  
Join Date: Jun 2009
Posts: 16
Default
Ok, I found the problem. Turns out there is one bug and one quirk in Windows XP (and probably other versions of Windows) that pertains to VPN connections. The bug is that even if you put the Remote Access connections at the top of the Adapters & Bindings in Network Connections - Advanced - Advanced Settings, XP will still use the LAN DNS server ahead of the DNS servers configured for the VPN connection. Even though I did the registry hack described in MS KB311218, this behavior was not corrected.

However, the real issue was that I could not resolve internal network names because DNS on the client could not do a reverse lookup on the VPN DNS server names, which were internal class C private addresses. This is because XP does not like it when the VPN adapter IP address is not in the same subnet as the VPN DNS servers.

I fixed this by creating a new VPN address pool with an address of 192.168.0.220/32 (I will expand it beyond 2 addresses later) to put the VPN adapter into the same subnet as the 192.168.0.3 DNS server.

Although it still uses the LAN DNS server first when doing an nslookup, it immediately resolves the internal names as soon as it gives up on the ISP's DNS server.
Reply With Quote
Reply
Page 2 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 09:47 AM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.