Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4081
Views
0
Helpful
1
Replies

L2TP/IPSec DNS split problem on Windows XP VPN client

atishin
Level 1
Level 1

‎11-21-2010 06:35 PM - edited ‎02-21-2020 04:59 PM

I have a small problem connecting XP L2TP client to ASA5505 L2TP/IPsec VPN. I have internal and external IPs for the same domain. When I am on VPN I suppose to resolve the same domain name into internal IP and this is happening on Windows 7, but not on Windows XP. It seems like XP just ignores DNS split settings of VPN and keep using the default DNS servers for my domain. I think it should be a known problem or some known misconfiguration of L2TP on ASA appliance. Will appreciate any help! Thanks!

Labels:
0 Helpful
1 Reply 1

Istvan Matyasovszki
Cisco Employee
Cisco Employee

‎11-29-2010 12:12 AM

Hi Anatoliy,

As I am not familiar with your setup I'll just include some pointers hoping they can be of help / give some ideas :

-  when  L2TP over IPsec is configured on an ASA an if the 'default-domain value' is configured under the    group-policy, you need to take into

account that  PPP IPCP protocol did no use to support dns suffix option, thus it is not possible to provide L2TP, PPTP or any other PPP client with default domain.  It's not a bug but PPP IPCP protocol limitation.  As per RFC 1877, only DNS server and WINS server IP addresses are supported by IPCP for name resolution:  http://www.ietf.org/rfc/rfc1877.txt

- regarding the above please also see the following documentation from Microsoft (February 20, 2007):

http://support.microsoft.com/kb/200211/

- I expect it works with Win7 as the above Microsoft document mentions that future releases of Windows server operating systems will be able to pass DNS domain names to RAS clients through a DHCP inform packet after the 
PPP and IPCP have converged.

- Sample config for split DNS tunneling with L2TP:

group-policy DfltGrpPolicy attributes
 wins-server value 1.2.3.4
 dns-server value 5.6.7.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT
 default-domain value does.not.work.com
 split-dns value this.works.com 
 intercept-dhcp 255.255.255.128 enable
 address-pools value VPDN1

Best regards

Istvan
0 Helpful
Customers Also Viewed These Support Documents