Solved

Draytek IPsec VPN tunnel

Posted on 2010-11-25
8
5,776 Views
Last Modified: 2012-05-10
I have a following problem, and would like to know if anybody can point me into a right direction to get a solutions for this.

I have a Draytek  2820 Vigor modem/router that I use as a VPN gateway to a LAN that consists of  Windows 2008 R2 server which is a DC and a file server and DNS and DHCP server. The rest of the LAN is couple of PCs that are part of the domain. All the other users, some 10 laptops, are very mobile and are not part of the domain, as these are usually personal laptops.  They connect to the network once they are in the office, and there is no problem accessing shares on the fileserver, as the DNS server IP address is given to each laptop as it connects.

The problem arises when these mobile user connect via Draytek Smart VPN client (Ver 4.0.0.3). If the user connects via “IPsec  Tunnel” option, I can ping the file server, or any other PC on the LAN, but I cannot actually connect to the share via its name (or to any PC via its name). Basically the client does not know about the LANs DNS server.

Is there some way to let the client connected via the VPN IPsec Tunnel know the IP of the LAN’s DNS server so that the client can resolve the share names? The only way around it I found, that is quite cumbersome is to map all the shares into the HOST file, but I would rather not do that.

The reason I do not want to use the PPTP option is that I do not want to know the users passwords for the VPN connections.

Another problem that I have found with the Draytek’s Smart VPN Client (sVPNc) is that even if you put in wrong credentials and IP address (while connecting as IPsec Tunnel), the client will tell you that it is connected even though there is no connection (you might not even have internet access and the sVPNc will happily tell you that you are connected) .  Not very useful for the clients, as they believe to be connected, but cannot access anything as obviously there is not connection what so ever.


Thank you
0
Comment
Question by:ian-pearce
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 34215700
0
 
LVL 5

Expert Comment

by:q2q
ID: 34216759
You cannot configure remote dns settings in the draytek vpn software. However you can do so with the native windows vpn client.
When using the draytek smart vpn it creates another fdialup conenction. Take a look in network connections.
You can then modify this connection in the networking tab to include specific dnd settings.

Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers.

If non of the above works you could always use a host file or a simple batch file that does the following to each server

nbtstat -a serverip

this will request netbios from each server it is run for. It will take a minute to run if you have a few ips.

If the above isnt good enough (with having to run scripts)  you could enable dhcp relay (lan settings on the draytek) to your internal server and get the vpn clients to use pptp or l2tp and it will then pickup dns automatically from the dhcp server.
Hope all this helps
0
 
LVL 5

Expert Comment

by:q2q
ID: 34216840
sorry I didnt see the bit about the pptp password. (my eyes read one thing and my brain saw something else)

If you are concerned about usese connecting from other machines etc after using a simple tool to get their pptp password. You could always setup peer ID's and certificates etc. If you install the certificate in a non-exportable format onto their pc they couldnt 'tinkle' with anything.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:ian-pearce
ID: 34227589
Diprajbasu:
Thanks for your input.
I have gone through those documents already, unfortunately they do not solve my problem as they describe LAN to LAN configuration.
I am not using LAN to LAN VPN (I have not draytek on both sides, and sometimes the client is not even on a fixed LAN, he just used USB modem to connect). Thus I need to use the VPN smart client.

Q2q
Thanks for your explanations.
Unfortunately when you use VPN tunnel there is no dialup connection that can be modified by windows, the tunnel goes out over the existing network adapter,  it cannot be modified from network connections.  The draytek dial up connection is only avaialble when using PPTP or l2tp connections.  

"""Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers"""

Not sure what you mean by this as the IP of the client that connects via VPN tunnel changes depending to where he is connection from.

Yes, as I have said in my original post,  a host file is the only workable solution that I have found so far
I am not sure how to integrate the host file and  nbstat – a serverip command, I am editing the host files manually, if there is batch file way to do it, I would be grateful for a script.

I think I will have to look at the certificate way, I had never done anything with certificates before, but I guess there is always the first time.

Thanks
0
 
LVL 5

Assisted Solution

by:q2q
q2q earned 500 total points
ID: 34228902
Sorry my script work is not great so the only way around that would be to do a large batch file that runs when the user connects.
The file would just need a line for every server the users need the name for
so
getname.bat would be
nbtstat -a 192.168.1.1
nbtstat -a 192.168.1.2
nbtstat -a 192.168.1.3

then if the users are occasionally on site you could make a login script that copies to the users c drive and updates this for when you get new servers etc
If they are not on site they could have shortcut to the script using a ipaddress that they run to get the name, as its a simple txt file shouldnt take too long.

loginscript.bat
c:
cd\
del getname.old
rename getname.bat
net use z: \\server\share\
copy z:\getname.bat c:\getname.bat
net use z: /delete

not glam but its a reasnable work around, sorry I couldnt be more help on the vpn side
0
 

Accepted Solution

by:
ian-pearce earned 0 total points
ID: 34234655
q2q
thanks for the additional imput.

This is what I got from Draytek support:

With a remote dial-in PPTP vpn connection, the vpn client will be assigned a DNS address as well as a local private address by the VPN server. But with a remote dial-in IPSec VPN connection, the vpn client will not be assigned any ip address by the VPN server. So you have to manually assign the "local" DNS server IP address to the vpn client.

When you see status "connected" shown in Smart VPN client, the vpn connection hasn't been really connected. In fact when you press the "Active" button, only one action is performed that the vpn profile is applied to Windows IPSec policy.
No vpn message is exchanged between the vpn client and the vpn router at that time. You should issue a ping to one IP address of remote vpn network to initiate the IPSec vpn connection.

So I guess there is no easy solution


0
 
LVL 5

Expert Comment

by:q2q
ID: 34236861
thats a shame. Well there isnt an answer for everything.
0
 

Author Closing Comment

by:ian-pearce
ID: 34387603
Did not really solved the problem, as there is no solution
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN Server 5 79
Routing certain SSLVPN Traffic to CDN 1 37
IKE and AuthIP IPsec Keying Modules wont start after installing Access Remote service 2 52
auto connect vpn 17 74
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question