Draytek IPsec VPN tunnel

I have a following problem, and would like to know if anybody can point me into a right direction to get a solutions for this.

I have a Draytek  2820 Vigor modem/router that I use as a VPN gateway to a LAN that consists of  Windows 2008 R2 server which is a DC and a file server and DNS and DHCP server. The rest of the LAN is couple of PCs that are part of the domain. All the other users, some 10 laptops, are very mobile and are not part of the domain, as these are usually personal laptops.  They connect to the network once they are in the office, and there is no problem accessing shares on the fileserver, as the DNS server IP address is given to each laptop as it connects.

The problem arises when these mobile user connect via Draytek Smart VPN client (Ver If the user connects via “IPsec  Tunnel” option, I can ping the file server, or any other PC on the LAN, but I cannot actually connect to the share via its name (or to any PC via its name). Basically the client does not know about the LANs DNS server.

Is there some way to let the client connected via the VPN IPsec Tunnel know the IP of the LAN’s DNS server so that the client can resolve the share names? The only way around it I found, that is quite cumbersome is to map all the shares into the HOST file, but I would rather not do that.

The reason I do not want to use the PPTP option is that I do not want to know the users passwords for the VPN connections.

Another problem that I have found with the Draytek’s Smart VPN Client (sVPNc) is that even if you put in wrong credentials and IP address (while connecting as IPsec Tunnel), the client will tell you that it is connected even though there is no connection (you might not even have internet access and the sVPNc will happily tell you that you are connected) .  Not very useful for the clients, as they believe to be connected, but cannot access anything as obviously there is not connection what so ever.

Thank you
Who is Participating?
ian-pearceConnect With a Mentor Author Commented:
thanks for the additional imput.

This is what I got from Draytek support:

With a remote dial-in PPTP vpn connection, the vpn client will be assigned a DNS address as well as a local private address by the VPN server. But with a remote dial-in IPSec VPN connection, the vpn client will not be assigned any ip address by the VPN server. So you have to manually assign the "local" DNS server IP address to the vpn client.

When you see status "connected" shown in Smart VPN client, the vpn connection hasn't been really connected. In fact when you press the "Active" button, only one action is performed that the vpn profile is applied to Windows IPSec policy.
No vpn message is exchanged between the vpn client and the vpn router at that time. You should issue a ping to one IP address of remote vpn network to initiate the IPSec vpn connection.

So I guess there is no easy solution

You cannot configure remote dns settings in the draytek vpn software. However you can do so with the native windows vpn client.
When using the draytek smart vpn it creates another fdialup conenction. Take a look in network connections.
You can then modify this connection in the networking tab to include specific dnd settings.

Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers.

If non of the above works you could always use a host file or a simple batch file that does the following to each server

nbtstat -a serverip

this will request netbios from each server it is run for. It will take a minute to run if you have a few ips.

If the above isnt good enough (with having to run scripts)  you could enable dhcp relay (lan settings on the draytek) to your internal server and get the vpn clients to use pptp or l2tp and it will then pickup dns automatically from the dhcp server.
Hope all this helps
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

sorry I didnt see the bit about the pptp password. (my eyes read one thing and my brain saw something else)

If you are concerned about usese connecting from other machines etc after using a simple tool to get their pptp password. You could always setup peer ID's and certificates etc. If you install the certificate in a non-exportable format onto their pc they couldnt 'tinkle' with anything.
ian-pearceAuthor Commented:
Thanks for your input.
I have gone through those documents already, unfortunately they do not solve my problem as they describe LAN to LAN configuration.
I am not using LAN to LAN VPN (I have not draytek on both sides, and sometimes the client is not even on a fixed LAN, he just used USB modem to connect). Thus I need to use the VPN smart client.

Thanks for your explanations.
Unfortunately when you use VPN tunnel there is no dialup connection that can be modified by windows, the tunnel goes out over the existing network adapter,  it cannot be modified from network connections.  The draytek dial up connection is only avaialble when using PPTP or l2tp connections.  

"""Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers"""

Not sure what you mean by this as the IP of the client that connects via VPN tunnel changes depending to where he is connection from.

Yes, as I have said in my original post,  a host file is the only workable solution that I have found so far
I am not sure how to integrate the host file and  nbstat – a serverip command, I am editing the host files manually, if there is batch file way to do it, I would be grateful for a script.

I think I will have to look at the certificate way, I had never done anything with certificates before, but I guess there is always the first time.

q2qConnect With a Mentor Commented:
Sorry my script work is not great so the only way around that would be to do a large batch file that runs when the user connects.
The file would just need a line for every server the users need the name for
getname.bat would be
nbtstat -a
nbtstat -a
nbtstat -a

then if the users are occasionally on site you could make a login script that copies to the users c drive and updates this for when you get new servers etc
If they are not on site they could have shortcut to the script using a ipaddress that they run to get the name, as its a simple txt file shouldnt take too long.

del getname.old
rename getname.bat
net use z: \\server\share\
copy z:\getname.bat c:\getname.bat
net use z: /delete

not glam but its a reasnable work around, sorry I couldnt be more help on the vpn side
thats a shame. Well there isnt an answer for everything.
ian-pearceAuthor Commented:
Did not really solved the problem, as there is no solution
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.