02-24-2016 06:55 AM - edited 02-21-2020 08:41 PM
Hi,
Some of our users are receiving error when connect on IPSec VPN
"The system has detected a possible attempt to compromise security VPN issue unable to map drives automatically"
and sometimes they struggle on DNS resolution. I have added ip addresses manually in host file but is there a better way.
I googled it but I got different views from everywhere. I would not like to try it on a production firewall unless someone know the fix.
Thanks,
02-26-2016 06:21 AM
Hello Mohammed,
You have group-policy for the vpn-tunnel group and I assume you enabled split-tunnel, then you can force the vpn-users to send dns-lookup for internal domain-names into internal servers, rather than sending the dns-lookup to local ISP.
group-policy your-vpn-group-policy attributes
dns-server value 10.121.81.64 10.121.81.65
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test-Split-Tunnel-List
default-domain value whatever.com
split-dns value whilte.com black.com yellow.com brown.com pink.com
as you can see in my split-dns value contains many internal domain names, for which nslookup will come into internal dns-server at: 10.121.81.64 10.121.81.65 for particular group-policy vpn-users.
Hope that helps.
Thanks
Rizwan Rafeek.
02-26-2016 06:21 AM
Hi Rizwan,
I have got group policy as suggested earlier. does it look ok? or am I missing something?
group-policy company internal
group-policy company attributes
dns-server value 192.168.0.2 192.168.0.1
vpn-idle-timeout 43200
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value company.com
address-pools value vpnippool
02-26-2016 07:08 AM
Hello Mohammed,
You don't need these two values.
- - - - - - - - - - - - -
vpn-idle-timeout 43200
pfs enable
- - - - - - - - - - - - -
You still have to make your vpn-client to send nslookup for your internal domain-names into the tunnel, otherwise for your internal hostname lookups will be going to local ISP for remote access IPSec vpn-clients.
Example is shown below, you need to specify your internal domain names as such shown below.
split-dns value whilte.com black.com yellow.com brown.com pink.com
thanks
Rizwan Rafeek
02-26-2016 10:46 AM
If I run these commands would it fix the issue?
No VPN idle time out
no PSf enable
Split-dns value white.com
02-26-2016 11:35 AM
Hello Mohammed,
"If I run these commands would it fix the issue?"
NO, but you don't not need those lines.
But what you need is to enable split-dns, as shown below.
group-policy your-vpn-group-policy attributes
split-dns value whilte.com black.com yellow.com brown.com pink.com
02-26-2016 11:35 AM
Thanks. I would add split-dns on Monday and get back to you.
02-29-2016 06:50 AM
Hello Mohammed,
"Could I just append this line in group policy?"
Yes you can but replace with list of domain-names that you want your remote-vpn client's dns-names lookup to come into the tunnel.
You have split-tunnel enabled?
03-04-2016 04:17 AM
Hi rizwanr74,
I have tried split-tunnel value and it has not resolve it.
Thanks,
03-04-2016 06:36 AM
Post your configuration.
02-29-2016 01:46 AM
Hi Rizwan,
Could I just append this line in group policy?
split-dns value whilte.com black.com yellow.com brown.com pink.com
or does it have to be in particular order?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide