02-24-2016 06:55 AM - edited 02-21-2020 08:41 PM
Hi,
Some of our users are receiving error when connect on IPSec VPN
"The system has detected a possible attempt to compromise security VPN issue unable to map drives automatically"
and sometimes they struggle on DNS resolution. I have added ip addresses manually in host file but is there a better way.
I googled it but I got different views from everywhere. I would not like to try it on a production firewall unless someone know the fix.
Thanks,
02-26-2016 06:21 AM
Hello Mohammed,
You have group-policy for the vpn-tunnel group and I assume you enabled split-tunnel, then you can force the vpn-users to send dns-lookup for internal domain-names into internal servers, rather than sending the dns-lookup to local ISP.
group-policy your-vpn-group-policy attributes
dns-server value 10.121.81.64 10.121.81.65
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test-Split-Tunnel-List
default-domain value whatever.com
split-dns value whilte.com black.com yellow.com brown.com pink.com
as you can see in my split-dns value contains many internal domain names, for which nslookup will come into internal dns-server at: 10.121.81.64 10.121.81.65 for particular group-policy vpn-users.
Hope that helps.
Thanks
Rizwan Rafeek.
02-26-2016 06:21 AM
Hi Rizwan,
I have got group policy as suggested earlier. does it look ok? or am I missing something?
group-policy company internal
group-policy company attributes
dns-server value 192.168.0.2 192.168.0.1
vpn-idle-timeout 43200
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value company.com
address-pools value vpnippool
02-26-2016 07:08 AM
Hello Mohammed,
You don't need these two values.
- - - - - - - - - - - - -
vpn-idle-timeout 43200
pfs enable
- - - - - - - - - - - - -
You still have to make your vpn-client to send nslookup for your internal domain-names into the tunnel, otherwise for your internal hostname lookups will be going to local ISP for remote access IPSec vpn-clients.
Example is shown below, you need to specify your internal domain names as such shown below.
split-dns value whilte.com black.com yellow.com brown.com pink.com
thanks
Rizwan Rafeek
02-26-2016 10:46 AM
If I run these commands would it fix the issue?
No VPN idle time out
no PSf enable
Split-dns value white.com
02-26-2016 11:35 AM
Hello Mohammed,
"If I run these commands would it fix the issue?"
NO, but you don't not need those lines.
But what you need is to enable split-dns, as shown below.
group-policy your-vpn-group-policy attributes
split-dns value whilte.com black.com yellow.com brown.com pink.com
02-26-2016 11:35 AM
Thanks. I would add split-dns on Monday and get back to you.
02-29-2016 06:50 AM
Hello Mohammed,
"Could I just append this line in group policy?"
Yes you can but replace with list of domain-names that you want your remote-vpn client's dns-names lookup to come into the tunnel.
You have split-tunnel enabled?
03-04-2016 04:17 AM
Hi rizwanr74,
I have tried split-tunnel value and it has not resolve it.
Thanks,
03-04-2016 06:36 AM
Post your configuration.
02-29-2016 01:46 AM
Hi Rizwan,
Could I just append this line in group policy?
split-dns value whilte.com black.com yellow.com brown.com pink.com
or does it have to be in particular order?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: