Hi,

- My 1750 is located into a branch office (BO) connected to central office (CO) via vpdn/ADSL/ATM.

- In the central office we have AAA/DNS/Portal.. servers

- The Intranet is located into another site (Client Site) with the vpn and own dns servers...

Hence the connection is:

BO >> CO >> Client Intranet.

The mobile user is using wireless connection to connect to the c1750 > cpdn > CO > Client Intranet.

Regads

To simplify the thing:

- One vpdn session from router to CO : using AAA server + DNS 1

- Onde vpn tunnel / ipsec using software client vpn at BO + Concentrator at Client Intranet site + DNS 2.

Hence the problem is that I have to use the two DNS !

I now understand that the vpdn peers are the BO and CO routers, and the IPSec peers are the client and the Intranet Concentrator.

Does the concentrator allow for "split-tunneling" to allow the user to connect to the Central Office while also connecting to the Intranet?

That would explain the needing of connecting to 2 dns servers, because the vpn session is a point to point one and the client will only see one set of dns servers if split-tunnelling is disabled.

Also, what is the failure? The ipsec/vpn client failing to authenticate to the concentrator? Or is that successful, and only the applications themselves fail?

One note about using ADSL - if the vpdn is done via PPPoE that may effectively reduce the mtu to 1492 from 1500 - so if issues such as slow performance are brought to your attention, and path mtu discovery is not working properly, this could be the cause.

I now understand that the vpdn peers are the BO and CO routers, and the IPSec peers are the client and the Intranet Concentrator.

-----> Right

Does the concentrator allow for "split-tunneling" to allow the user to connect to the Central Office while also connecting to the Intranet?

-----> Where does the feature "split-tunneling" to be configured ? in the VPDN concontrator(LNS) based CO or on the the Ipsec concentrator based Intranet site. ?

That would explain the needing of connecting to 2 dns servers, because the vpn session is a point to point one and the client will only see one set of dns servers if split-tunnelling is disabled.

-----> Perhaps

Also, what is the failure? The ipsec/vpn client failing to authenticate to the concentrator? Or is that successful, and only the applications themselves fail?

------> The ip sec tunnel from client to Intranet does not come up

One note about using ADSL - if the vpdn is done via PPPoE that may effectively reduce the mtu to 1492 from 1500 - so if issues such as slow performance are brought to your attention, and path mtu discovery is not working properly, this could be the cause.

----> we are using ADSL/ATM so, PPPoA. Other application are working fine and does not suffer from such problems

So, still the split-tunneling issue, where shall this feature be enabled ?

The allowing of split-tunneling can be set in either the concentrator at the intranet site, or it can be set via a RADIUS attribute sent by an AAA server upon user authentication. The concentrator/Radius diabling of split-tunneling will override the vpn client's config as far as that is concerned.

However you noted that the failure is the ipsec tunnel not coming up. If the user is not even getting promted for a id and password the first thing to check is if the client has the proper vpngroup name and password defined. Normally the vpn concentrator has those values - however if the concentrator is expecting to have the AAA server store those values, and it cannot contact the AAA server then the user will not be able to see the username/password prompt. Instead they will get an unable to contact gateway message.

So the first thing I'd do is to understand how the concentrator is configured - if it is needing to get most info from an AAA server, test to see if the communication between AAA and concentrator succeeds. Note: with radius now there are two new IETF ports 1812/1813 besides the original 1645/1646 so it is easy to block the traffic.

Second, is NAT-T being used or not? Look at the vpn client config under transport entries to see what options are selected.

Let me know what you find and we'll go from there.

Hi,

I made a small test:

1- I've bring up my vpdn tunnel from router(BO) to CO LNS (ADSL/ATM with log/pwd chap on AAA Raduis). The connection is ok and got a s dns my CO dns named dns1.

2- I have made an authentification at the user level (laptop-1)to be able to open a user session on the vpdn link (another AAA server with SSG)

At this stage I am able to browse on the internet etc.

3- Once my connection established, I have launch the client vpn software on the laptop-1. The ipsec tunnel does not come up.

4- keeping the same vpdn and user session I have change manually the dns server from dns1 to dns2 located in Intranet site. --> In this situation the ipsec vpn comes up.

Hence I have this feeling that when using dns1, my laptop can not contact the Intranet AAA server, so the ipsec vpn connection failed. When using dns2 it is ok.

The problem is that dns1 is mandatory for the vpdn/user session establishement. and dns2 is required for the ipsec vpn establishement.

I would like to come back over this problem. In fact We have made some investigations and the problem seems to be « located ».

What happens is :

- The VPDN authentification with AAA servers works ok = IP connection enabled

- The VPN tunnel works ok from the client to Intranet via CO

BO[vpn client] ----- CO[dns1, LNS/SSG etc] ----- Internet ------ Intranet[dns2+home servers]

- When using @IP add, my applications works ok and can access home servers

- When using names, my applications does not works and can not access home servers

I have note that when using names for the servers, my client request dn-1 (abnormal !) instead dns-2 (the normal behaviour). Hence, My question is why these dns requests went out the vpn tunnel ?

Any help please. This is an important issue for us.

Thx