Link to home
Start Free TrialLog in
Avatar of AXISHK
AXISHK

asked on

DNS setup for Cisco VPDN

I have setup the following VPDN on the Cisco router. The DNS point to my internal DNS server. When the VPN client was connected, and I could see the DNS is granted to these two internal server.

However, when I ping other internal server, it doesn't returned with the internal IP of the server. Somehow a public IP  209.68.xx was replied. Any idea what's wrong with my VPDN configuratoin ?

Thanks

!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 peer default ip address pool pool1
 ppp authentication pap chap L2TP-AUTH
 ppp authorization L2TP-AUTH
 ppp ipcp dns 192.168.150.37 192.168.150.32
Avatar of rfc1180
rfc1180
Flag of United States of America image

>Somehow a public IP  209.68.xx was replied. Any idea what's wrong with my VPDN configuratoin ?
without looking at your entire configuration, I do not have a solid idea, but based on what you have mentioned, is that if you use 1:1 NAT for the 209.68.xx and internal IP that you are pinging, the IOS is executing a "DNS Rewrite", this is typical by design in most modern ASAs and IOS configs.

Billy

you indicated this is a router (IOS) I presume. Do you have a statement like

ip name-server a.b.c.d

pointing at your internal name server?
Avatar of Jody Lemoine
It depends largely on client support.  On my L2TP and PPTP VPDNs, the Windows clients will receive the DNS setting using any of the following mechanisms:

Explicit async-bootp dns setting in global configuration
Explicit ppp ipcp dns setting under the virtual-template interface
No explicit ppp ipcp dns setting under the virtual-template interface (defaults to the async-bootp dns setting or the router's ip name-server setting in that order)

The Macintosh clients, on the other hand, won't pick up the DNS settings via *any* of these mechanisms, which is quite frustrating.

Do the IPCP-configured DNS servers show up in the client's name server list when you're connected?  If so, in what order?
Avatar of AXISHK
AXISHK

ASKER

already put those related DNS statement in my configuratoin but it doesn't work. Under Window, " ipconfig/all " show that the DNS server has been binded to our internal DNS server. However, the host name ping reply is from a strange IP address "209.62.xx.yy", and in fact, the server could only be visited by IP rather than host name.

Although I have put the mpe auto, I could use it in my Window VPN setup. The VPN connection could only be built when I specify "Optional encryption (connect even if no encryption)". It doen't allow the connection if I select the default "Require encrytion". Does it mean there is no encryption for the VPN connection ?

Thanks again.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ABC-HKDC
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp L2TP-AUTH local
aaa authentication ppp l2tp-001 local
aaa authorization network L2TP-AUTH local
aaa authorization network l2tp-001 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2609227240
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2609227240
 revocation-check none
 rsakeypair TP-self-signed-2609227240
!
!
crypto pki certificate chain TP-self-signed-2609227240
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363039 32323732 3430301E 170D3130 30383136 30343032
  35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303932
  32373234 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B69C CEDF2C9A C121C1F1 A63040A2 80C13732 690559A4 DE62DD69 F87C71FF
  8AA7DE2E E132C0AB 732389CF 022AEE53 3726C82C 847F7699 3AA5D5E5 1B028B1E
  54E99A5D 34D7E07E C2472E89 26F2168D 78736632 8988E36E 47D61263 ED586747
  60D36D10 C0637CF1 0BC6B86D 28A68526 5CD2CCDA BB8C94D6 AE6620F1 D4CD59C1
  D2F10203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17555043 2D484B44 432E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 1407E486 76B48E82 1B5DEEE1 4E014B8A 0DE1AFC7
  30301D06 03551D0E 04160414 07E48676 B48E821B 5DEEE14E 014B8A0D E1AFC730
  300D0609 2A864886 F70D0101 04050003 81810072 4F60BC1E 35881E91 62547AB6
  597D6F88 83C18480 B9A8D9AC 2685C58D B64BD721 A960783E 4235450D 5BE85ADA
  D4C7364C E80EB768 E0E83E1B 5D6DF562 13ECDB7F A439774F AE7E6406 91625A88
  DC371EBF B71AF4C2 52703A3F CDC970EF 70CA4F4D 70EDDDFB 084D8804 2CA3C57E
  812ECA05 1EECCD46 2199D1AA 5B048DFD 7F4841
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server 192.168.150.37
ip name-server 192.168.150.32
no ipv6 cef
!
multilink bundle-name authenticated
!
async-bootp dns-server 192.168.150.37 192.168.150.32
vpdn enable
vpdn multihop
vpdn domain-delimiter / prefix
!
vpdn-group vpdn--PPTP
 accept-dialin
  protocol pptp
  virtual-template 1
 source-ip 202.134.xxx.yyy
 local name vpdn
 lcp renegotiation on-mismatch
!
virtual-template 1 pre-clone 50
!
!
username upcadmin privilege 15 secret 5 $1$hxyr$8d/rybCDm 
!
!
!
archive
 log config
  hidekeys
!
!
!
class-map match-any class--D
 match any
class-map match-any class--B
 match access-group 2001
class-map match-any class--C
 match access-group 2002
class-map match-any class--A
 match access-group 2000
!
!
policy-map policy--define
 class class--A
    bandwidth percent 40
 class class--B
    bandwidth percent 30
 class class--C
    bandwidth percent 5
 class class-default
    fair-queue
     random-detect
policy-map policy--UPC
 class class--D
    shape average 1000000
  service-policy policy--define
!
!
!
!
interface Loopback0
 ip address 1.1.1.111 255.255.255.255
!
interface Tunnel2
 description to HK office
 ip address 1.1.1.5 255.255.255.252
 ip tcp adjust-mss 1452
 tunnel source 202.134.xxx.yyy
 tunnel destination 219.90.xxx.yyy
!
interface Tunnel3
 description to BJ
 ip address 1.1.1.9 255.255.255.252
 ip tcp adjust-mss 1400
 tunnel source 202.134.xxx.yyy
 tunnel destination 202.134.ccc.ddd
!
interface FastEthernet0
 ip address 192.168.150.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 peer default ip address pool pool1
 ppp encrypt mppe auto
 ppp authentication pap chap L2TP-AUTH
 ppp authorization L2TP-AUTH
 ppp ipcp dns 202.134.eee.fff
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 202.134.xxx.yyy 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool pool1 192.168.150.200 192.168.150.240
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.134.mmm.nnnn
ip route 192.168.1.0 255.255.255.0 Tunnel2
ip route 192.168.7.0 255.255.255.0 Tunnel3
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface Vlan1 overload
ip nat inside source static 192.168.150.32 202.134.xxx.yy1 extendable
ip nat inside source static 192.168.150.39 202.134.xxx.yy2 extendable
ip nat inside source static 192.168.150.40 202.134.xxx.yy3 extendable
!
access-list 100 permit ip 192.168.150.0 0.0.0.255 any
no cdp run

!
!
!
!
!
snmp-server community private RW
snmp-server enable traps tty
snmp-server host 192.168.150.41 private
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
end

Open in new window

Are there any other name servers in your "ipconfig /all" output besides the ones you have configured?  If so, are they listed before or after the ones configured on the router?

The "mppe auto" command only applies to PPTP connections and won't help with L2TP, which uses IPsec.  The following virtual template is what I use for PPTP connections:

interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool default
 compress mppc
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap xauth
 ppp authorization mppe
Avatar of AXISHK

ASKER

So can I have data encryption with L2TP ? How to configure IPsec to ensure max. security ?

I have configured on my router and have the following warning message. How to get rid of these ?

HKDC(config-if)# ppp authentication ms-chap-v2 ms-chap xauth
AAA: Warning, authentication list "xauth" is not defined for PPP.

HKDC(config-if)# ppp authorization mppe
AAA: Warning, authorization list "mppe" is not defined for network authorization

When I run "show ppp mppe virtual-access1 ", it tells me "PPP is not active on interface Vi1". How do I know the established connection is encrypted ? And what bit does it  use for encryption ?

Thanks
Okay, let me tackle these one-by-one.

> So can I have data encryption with L2TP? How to configure IPsec to ensure max. security?

Yes, but L2TP relies on IPsec as an external encryption/integrity mechanism, so it has to be configured via appropriate crypto maps on your router.

> I have configured on my router and have the following warning message. How to get rid of these ?

> HKDC(config-if)# ppp authentication ms-chap-v2 ms-chap xauth
> AAA: Warning, authentication list "xauth" is not defined for PPP.

> HKDC(config-if)# ppp authorization mppe
> AAA: Warning, authorization list "mppe" is not defined for network authorization

Sorry about that.  You have to define the xauth and mppe mechanisms in aaa before they'll actually be usable.  A sample configuration for that would look like this:

aaa authentication login xauth group radius local
aaa authorization network mppe group radius local

> How do I know the established connection is encrypted?

You can find out which virtual access interface each user is connected on by issuing the "show users" command.  Once you have that, you can use the "show ppp mppe virtual-access #" where # is the interface number the user is connected on.
Avatar of AXISHK

ASKER

"L2TP relies on IPsec ", can I use this to remote VPN access for mobile client ? Is it better than mppe (in what aspect) ?

Can configuration example for L2TP on IPsec for remote client ?

Many thanks again.
You certainly can.  It's much better than MPPE on modern Cisco routers because IPsec is accelerated in hardware while MPPE has to be encrypted/decrypted by the router's processor.  Also, IPsec with NAT-T is much friendlier with NAT routers at the client end than PPTP is.  Here's how I set it up:

vpdn enable
!
vpdn-group L2TP
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
username vpnbackup privilege 0 password 0 your-password
username vpnbackup autocommand exit
!

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key your-L2TP-tunnel-key address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set TS-3DESSHA1ESP esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map L2TP 10
 set nat demux
 set transform-set TS-3DESSHA1ESP
 match address L2TP
!
crypto map VPN 10 ipsec-isakmp dynamic L2TP
!
interface VLAN1
 crypto map VPN
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool pool1
 ppp mtu adaptive
 ppp authentication ms-chap-v2 ms-chap chap
ASKER CERTIFIED SOLUTION
Avatar of Jody Lemoine
Jody Lemoine
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of AXISHK

ASKER

Thanks.

One last question, my Cisco is 1804 and I believe that it doesn't have special hardware for IPSec. Does it make any difference between IPsec and MPPE in term of security and encryption ?

Many thanks.


Actually, the 1800 series has the IPsec accelerator on-board, so you should be fine.  Do a "show version" to be sure.  The relevant output from my 1811 looks like this:

Cisco 1811 (MPC8500) processor (revision 0x400) with 354304K/38912K bytes of memory.
Processor board ID FHK1124103S, with hardware revision 0000

10 FastEthernet interfaces
1 Serial interface
1 terminal line
1 Virtual Private Network (VPN) Module
62976K bytes of ATA CompactFlash (Read/Write)

The key thing to look for is that "1 Virtual Private Network (VPN) Module" line.  If it's there, you have it.