cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1318
Views
0
Helpful
1
Replies

DNS problem when using VPN connection between Cisco 800 Series and iPhone 4S

Kai Onken
Level 1
Level 1

Hello,

has anybody configured a VPN connection between a 800 series Router and an iPhone 4S unsing the internal iPhone Cisco VPN client? I solved the VPN connection, but I can't use DNS, but why?

Via ICMP is the DNS server reachable

Internal DNS: 10.0.0.11

Configuration:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 <removed>

!

aaa new-model

!

!

aaa authentication login CONSOLE local-case

aaa authentication login VTY local-case

aaa authentication login AUX local-case

aaa authentication login CRYPTO_ISAKMP_CLIENT local

aaa authentication enable default enable

aaa authorization network CRYPTO_ISAKMP_CLIENT local

!

aaa session-id common

!

resource policy

!

ip cef

!

!

!

!

no ip domain lookup

ip domain name intra.local

ip ssh version 2

!

!

!

username kon privilege 15 secret 5 <removed>

!

!

crypto logging session

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto isakmp keepalive 10

crypto isakmp nat keepalive 20

crypto isakmp xauth timeout 90

!

crypto isakmp client configuration group CRYPTO_ISAKMP_CLIENT

key <removed>

dns 10.0.0.11

domain intra.local

pool VPN-POOL

save-password

!

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association idle-time 3600

!

crypto ipsec transform-set VPN-TRANSFORMSET esp-aes 256 esp-sha-hmac

!

crypto dynamic-map CRYPTO_ISAKMP_CLIENT 1

set transform-set VPN-TRANSFORMSET

!

!

crypto map STATIC_CRYPTO_MAP local-address Dialer0

crypto map STATIC_CRYPTO_MAP client authentication list CRYPTO_ISAKMP_CLIENT

crypto map STATIC_CRYPTO_MAP isakmp authorization list CRYPTO_ISAKMP_CLIENT

crypto map STATIC_CRYPTO_MAP client configuration address respond

crypto map STATIC_CRYPTO_MAP 1 ipsec-isakmp dynamic CRYPTO_ISAKMP_CLIENT

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description "-> WAN"

no snmp trap link-status

pvc 1/32

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

description <removed>

duplex full

speed 100

!

interface FastEthernet1

description <removed>

duplex full

speed 100

!

interface FastEthernet2

description <removed>

duplex full

speed 100

!

interface FastEthernet3

description <removed>

duplex full

speed 100

!

interface Virtual-Template1 type tunnel

description "Used for Dialer 0 Crypto map"

ip unnumbered Dialer0

tunnel mode ipsec ipv4

!

interface Vlan1

description "-> LAN"

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

interface Dialer0

description "WAN"

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

ip access-group 101 in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname <removed>

ppp chap password <removed>

crypto map STATIC_CRYPTO_MAP

!

ip local pool VPN-POOL 192.168.0.200 192.168.0254

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list standard VTY

permit 10.0.0.0 0.0.0.255

!

!

logging trap debugging

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 101 remark ---> Internet LAN

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 deny   icmp any any

dialer-list 1 protocol ip permit

!

!

!

!

control-plane

!

banner motd $

+---------------------------------------------------------------------+

|                                                                     |

|                    Security disclaimer                              |

|                                                                     |

| This computer system is for authorized users only. All activity is  |

| logged and regulary checked by systems personal. Individuals using  |

| this system without authority or in excess of their authority are   |

| subject to having all their services revoked. Any illegal services  |

| run by user or attempts to take down this server or its services    |

| will be reported to local Network Services department. Anyone using |

| this system consents to these terms.                                |

|                                                                     |

+---------------------------------------------------------------------+

$

!

line con 0

exec-timeout 20 0

login authentication CONSOLE

no modem enable

line aux 0

exec-timeout 20 0

login authentication AUX

transport input ssh

line vty 0 4

access-class VTY in

exec-timeout 20 0

login authentication VTY

transport input ssh

!

!

scheduler max-task-time 5000

ntp logging

ntp master 2

ntp server 192.53.103.108 source dialer 0 prefer

ntp server 129.187.254.32 source dialer 0

!

!

end

1 Reply 1

Kai Onken
Level 1
Level 1

Hello,

solved the problem by my self. One statement was missing. IT was reverse-route, which is requiered to create the routing entries.

crypto dynamic-map CRYPTO_ISAKMP_CLIENT 1

  set transform-set VPN-TRANSFORMSET

          reverse-route