VPN and DNS

Hi,

I'm uisng a netgear FVG318 VPN Firewall Router with a tunnel from a pc client running Netgear Prosafe Client VPN.  The vpn runs fine and I can ping all my linux servers using there static ip's (10.94.69.x), however I can't ping using domains xxx.donoss.lan over the VPN.  DNS is running on 10.94.69.2 a SUSE 10 box, 10.94.69.1 is the gateway(VPN Router).  Any idea's on how I can ping using the domains?

Many thanks

Andy

 
DonossAsked:
Who is Participating?
 
Gabriel OrozcoSolution ArchitectCommented:
you should edit your dhcp server for local lan, and tell it your dns will be 10.94.69.2.

this of course will be a problem if the vpn goes down

but if vpn continues up, then it should work well
0
 
Gabriel OrozcoSolution ArchitectCommented:
it's the domain internal?

do the clients have the DNS in their /etc/resolv.conf? (if not, then there is the problem. edit the file and replace nameserver row with your 10.94.69.2 nameserver, like here:)
------------------------------------
nameserver 10.94.69.2
domain donoss.lan
search donoss.lan
------------------------------------
this  on the clients. make sure your dns server can answer for queries to donoss.lan
0
 
DonossAuthor Commented:
Sorry if I didn't make it clear but the clients are running XP and it is from here over the vpn that I can't ping using the domains e.g. obiwan.donoss.lan; skywalker.donoss.lan.  I can ping internally with no problem, but can't over the vpn.

Regards

Andy
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
Cyclops3590Commented:
i've never used netgear's vpn device before but it sounds like your vpn clients either aren't being issued the ip for the internal dns or it is, but still is using the external dns servers.

at least in cisco firewall they have something called split-dns where you give a list of domain names that the vpn client is aware of so they would be forced to use the specified dns servers thru the vpn connection.  i've also come across some where the vpn connection will force all traffic thru the vpn and thus be forced to use the dns servers the vpn specifies.  that is all I can think of any way, check those settings

from the xp machines when they are logged in though, run an ipconfig /all to make sure that they are getting a dns server entry for the vpn connection, then do a
nslookup <name of server to lookup> <ip of ns server to query>
and make sure it resolves, then do
nslookup <name of server to lookup>
it should give the ip in the output of the dns server its trying to query
0
 
DonossAuthor Commented:
Hi Cyclops,

ipconfig displays the dns address as the local ip address on my home network 192.168.0.1 which is the gateway.

Regards

Andy
0
 
Cyclops3590Commented:
there's no dns entry specifying 10.94.69.2 then I take it when you are vpn'd in
0
 
DonossAuthor Commented:
No,

All I can do is ping this sub-nets ips's, but no dns.
0
 
Cyclops3590Commented:
did you try the nslookup command
example:
nslookup obiwan.donoss.lan 10.94.69.2
while you were vpn'd in
0
 
DonossAuthor Commented:
The following was displayed, and it did return the correct ip for obiwan!

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Andrew Norman>nslookup obiwan.donoss.lan 10.94.69.2
*** Can't find server name for address 10.94.69.2: Non-existent domain
Server:  UnKnown
Address:  10.94.69.2

Name:    obiwan.donoss.lan
Address:  10.94.69.4


C:\Documents and Settings\Andrew Norman>
0
 
Cyclops3590Commented:
yup, its your vpn client either not being issued the ip for the inside dns server or your client just isn't using it.
0
 
DonossAuthor Commented:
Any idea's how to resolve this using the netgear fvg318?

Many thanks

Andy
0
 
Cyclops3590Commented:
never used it before, i'll have to go to netgear's stie to see if they have some user manuals I can look at to see if its possible or not.  are you using pptp or ipsec for vpn?
0
 
Cyclops3590Commented:
the only type of vpn i saw was ipsec so I assume that's what you are using.  i never really saw anything to do with dns so to be quite honest I almost doubt you can do what you want to get accomplished with that device.  

how did you setup your profile on the client, did you tell it to forward all traffic thru the tunnel or only for that subnet.  even then I am not sure how you get it to obtain the dns server ip address and use that server

sorry i couldn't be of more help, but we do atleast know what the problem is; just that I don't know how to fix it, if its even fixable
0
 
Gabriel OrozcoSolution ArchitectCommented:
Since  stated your clients are XP, and the vpn is *transparent* for them, because it is handled via your hardware devices; then you should have the DNS in your TCP/IP settings.

a) Can you ping the ip 10.94.69.2 ?
b) If you can ping: are you using DHCP?
c) If dhcp: have you configured your DHCP server to export the dns server ip and domain?
d) if not DHCP: did you configure XP tcp/ip settings to have the remote DNS as the default one, along with the correct domain (donoss.lan)?
0
 
DonossAuthor Commented:
Guy's,

the vpn is ipsec.  I can ping 10.94.69.2 (dns server), however the pc client is getting its ip from the local lan (at home) which is 192.168.0.1, which is the dhcp server for he local lan.  The remote vpn router is also a dhcp server for the remote lan, this has 10.94.69.2 as the dns server and the isp's ip as the secondary dns server, could this be the problem?

many thanks

Andy
0
 
Cyclops3590Commented:
or you could hard code the DNS server into your connection and while you want to be VPN'd in, just change the DNS server IP.  be a pain, but if you have multiple machines on your remote lan, then at least the others won't be screwed up since they wouldn't be vpn'd in

of course, you could make the 10.94.69.2 a primary DNS server and your current DNS servers secondary.  This would make sure that your client would use the office dns server however if not logged in will make resolution of fqdn's longer and make the internet seem slower since every request would have to timeout on a server you couldn't communicate with without vpn
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.