IPSec Site-to-Site - Page 2

paltel · ‎09-12-2005

I have configured IPSec site-to-site tunnel btw. cisco router and Cisco VPN Concentrator and everythink OK. I have a question, now if the clients behind Cisco router wants to access private site behind VPN Concentrator, they will use its name, but they can't because they need first to establish a tunnel, but this tunnel will not be established cause no public DNS server will resolve this private web server. How can we solve this issue?

Thanks in advance

jackko · ‎09-23-2005

i guess one of the cons is that all the dns requests now going through the vpn and comsuming the bandwidth.

in case bandwidth is a concern, i guess you can manipulate the host file of the primary user pc.

attrgautam · ‎09-23-2005

Wonder why should IPSec be active all the time. The IPSec is going to trigger whenever there is going to be interesting traffic to the server, in this case the traffic will be the DNS request.

paltel · ‎09-23-2005

Hi Attrgautam,

I see this is not a good solution, but if they got a public DNS server, and a LAN1 user typed a LAN2 hostname it will not trigger the IPSec tunnel because the public DNS server will return failed DNS reply.

I tried your suggestion to use ip forward-protocol udp 53, but did not successed! I don't have another solution!

...........

Please can you give more details about "manipulate the host file of the primary user pc"?

Thank you

jackko · ‎09-24-2005

the issue is due to the fact that lan2 pc cannot resolve the ip by the server name, since there is no dns server installed.

this issue can be resolved by adding an entry to the pc host file. windows machine looks up the host file first and then after the dsn server.

to edit the host file, open it with notepad

C:\WINDOWS\system32\drivers\etc\hosts

below is the default host file

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

under the first entry, put in the lan2 ip address, hit the key and put in the server name.

e.g.

127.0.0.1 localhost

192.168.0.1 server_xxx

the catch with this workaround is that it's a manual process, so you will need to do this on every single pc. however, you may do it on the primary user pc instead. that means the lan2 office will need to depend on this primary user/pc to initiate the vpn.

paltel · ‎09-24-2005

what r u talking about?!!!!!

I need IOS solution not Microsoft one (for every PC).

jackko · ‎09-25-2005

it would be better if you may appreciate that ppl here is contributing idea, knowledge, trying to come up with workaround for you as a FAVOUR. We are not a staff of your company mr. manager, so please be polite.

as my previous post suggested that it's very likely that the router would not work as you expected. that's why i keep posting you with alternatives. anyhow good luck!

paltel · ‎09-27-2005

Hi Jackko,

Sorry for my last post. Really i appreciate your post, and really it is a very good team here.

Sorry again, but believe me i did NOT mean any word in my last post.

Thank you and please accept my apology