[Openswan Users] Windows dns lookup over IPSEC/L2TP

Duncan Reed duncan at elminster.com
Sun Oct 31 11:55:47 CET 2004 

> Duncan Reed wrote:
>
>> Doing an ipconfig/all you can see that the windows client has picked up

> Sorry, I don't understand. Does the Windows client obtain the DNS
> addresses or doesn't it?

Windows client obtains DNS from original DNS server (provided by ISP) not
the new ones picked up via L2TPD. I would guess that is the ISP DNS wed
down it would probably then query the one provided by L2TPD.

The result is that resultion works for intranet but not for intranet.
Maybe this will help:

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet
Adapter
        Physical Address. . . . . . . . . : 00-50-87-FD-40-CA
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.5
                                            10.0.0.2

PPP adapter IPCop140:

        Connection-specific DNS Suffix  . : mysuffix.com
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.11.220
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.11.220
        DNS Servers . . . . . . . . . . . : 192.168.11.201
                                            192.168.11.202

[Note: I'm double natted, 192.168.0.x-->10.0.0.x-->Internet-->192.168.11.x
but I get same result with no nat, which I test elsewhere]

So before VPN connection is established the above would use 192.168.0.5 &
10.0.0.2 for resolution, after VPN connection established I would expect
192.168.11.201 and 192.168.11.202 to be used. But it stills uses
192.168.05 and 10.0.0.2.

The new dns server do work correctly as I can do 'nslookup test.intranet
192.168.11.201' which tells windows to do the resolution  using intranet
dns server 192.168.11.201. It would seem windows appends new DNS server to
list of available dns servers (or doens't use them at all) for resolution.

I have tried playing with connection and primary suffixes but to no avail.

>
>> When I browse or do an nslookup it uses the primary dns on the Ethernet
>> adaptor connection, i.e. the ISP, rather than those specified by the VPN
>> connection.
>
> Can you ping those DNS servers once the client is connected? Can you
> check with tcpdump on ipsec0 to see what happens?

Yep I can nslookup against them if I specify them with nslookup <lookup
addr> <dns server>.

>
>> Converted to work on IPCop distribution. My config, what and
>> how I did it can be found here
>> http://www.elminster.com/xoops/modules/phpwiki/index.php/IpcopL2tpRemoteAccessServer
>
> Looks great so far. I think with a nice GUI this could be an wonderful
> addition to IPCop.

Well hopefully it will all eventually get added into IPCop as standard
functionality. And it probably would never worked at all with out your
FAQs, which were my primary source, so thanks for them.

>
>> I can get this working by hard coding stuff into windows but then it
>> breaks resolution when the VPN is down.
>
> Hard coding? You mean you set a fixed DNS server for that connection?

Yes. If I hardcode the DNS servers to use in windows to the intranet ones
all works fine. Until you take the VPN down of course.

Duncan

More information about the Users mailing list