Solved

Draytek IPsec VPN tunnel

Posted on 2010-11-25
8
5,434 Views
Last Modified: 2012-05-10
I have a following problem, and would like to know if anybody can point me into a right direction to get a solutions for this.

I have a Draytek  2820 Vigor modem/router that I use as a VPN gateway to a LAN that consists of  Windows 2008 R2 server which is a DC and a file server and DNS and DHCP server. The rest of the LAN is couple of PCs that are part of the domain. All the other users, some 10 laptops, are very mobile and are not part of the domain, as these are usually personal laptops.  They connect to the network once they are in the office, and there is no problem accessing shares on the fileserver, as the DNS server IP address is given to each laptop as it connects.

The problem arises when these mobile user connect via Draytek Smart VPN client (Ver 4.0.0.3). If the user connects via “IPsec  Tunnel” option, I can ping the file server, or any other PC on the LAN, but I cannot actually connect to the share via its name (or to any PC via its name). Basically the client does not know about the LANs DNS server.

Is there some way to let the client connected via the VPN IPsec Tunnel know the IP of the LAN’s DNS server so that the client can resolve the share names? The only way around it I found, that is quite cumbersome is to map all the shares into the HOST file, but I would rather not do that.

The reason I do not want to use the PPTP option is that I do not want to know the users passwords for the VPN connections.

Another problem that I have found with the Draytek’s Smart VPN Client (sVPNc) is that even if you put in wrong credentials and IP address (while connecting as IPsec Tunnel), the client will tell you that it is connected even though there is no connection (you might not even have internet access and the sVPNc will happily tell you that you are connected) .  Not very useful for the clients, as they believe to be connected, but cannot access anything as obviously there is not connection what so ever.


Thank you
0
Comment
Question by:ian-pearce
  • 4
  • 3
8 Comments
 
LVL 11

Expert Comment

by:diprajbasu
Comment Utility
0
 
LVL 5

Expert Comment

by:q2q
Comment Utility
You cannot configure remote dns settings in the draytek vpn software. However you can do so with the native windows vpn client.
When using the draytek smart vpn it creates another fdialup conenction. Take a look in network connections.
You can then modify this connection in the networking tab to include specific dnd settings.

Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers.

If non of the above works you could always use a host file or a simple batch file that does the following to each server

nbtstat -a serverip

this will request netbios from each server it is run for. It will take a minute to run if you have a few ips.

If the above isnt good enough (with having to run scripts)  you could enable dhcp relay (lan settings on the draytek) to your internal server and get the vpn clients to use pptp or l2tp and it will then pickup dns automatically from the dhcp server.
Hope all this helps
0
 
LVL 5

Expert Comment

by:q2q
Comment Utility
sorry I didnt see the bit about the pptp password. (my eyes read one thing and my brain saw something else)

If you are concerned about usese connecting from other machines etc after using a simple tool to get their pptp password. You could always setup peer ID's and certificates etc. If you install the certificate in a non-exportable format onto their pc they couldnt 'tinkle' with anything.
0
 

Author Comment

by:ian-pearce
Comment Utility
Diprajbasu:
Thanks for your input.
I have gone through those documents already, unfortunately they do not solve my problem as they describe LAN to LAN configuration.
I am not using LAN to LAN VPN (I have not draytek on both sides, and sometimes the client is not even on a fixed LAN, he just used USB modem to connect). Thus I need to use the VPN smart client.

Q2q
Thanks for your explanations.
Unfortunately when you use VPN tunnel there is no dialup connection that can be modified by windows, the tunnel goes out over the existing network adapter,  it cannot be modified from network connections.  The draytek dial up connection is only avaialble when using PPTP or l2tp connections.  

"""Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers"""

Not sure what you mean by this as the IP of the client that connects via VPN tunnel changes depending to where he is connection from.

Yes, as I have said in my original post,  a host file is the only workable solution that I have found so far
I am not sure how to integrate the host file and  nbstat – a serverip command, I am editing the host files manually, if there is batch file way to do it, I would be grateful for a script.

I think I will have to look at the certificate way, I had never done anything with certificates before, but I guess there is always the first time.

Thanks
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 5

Assisted Solution

by:q2q
q2q earned 500 total points
Comment Utility
Sorry my script work is not great so the only way around that would be to do a large batch file that runs when the user connects.
The file would just need a line for every server the users need the name for
so
getname.bat would be
nbtstat -a 192.168.1.1
nbtstat -a 192.168.1.2
nbtstat -a 192.168.1.3

then if the users are occasionally on site you could make a login script that copies to the users c drive and updates this for when you get new servers etc
If they are not on site they could have shortcut to the script using a ipaddress that they run to get the name, as its a simple txt file shouldnt take too long.

loginscript.bat
c:
cd\
del getname.old
rename getname.bat
net use z: \\server\share\
copy z:\getname.bat c:\getname.bat
net use z: /delete

not glam but its a reasnable work around, sorry I couldnt be more help on the vpn side
0
 

Accepted Solution

by:
ian-pearce earned 0 total points
Comment Utility
q2q
thanks for the additional imput.

This is what I got from Draytek support:

With a remote dial-in PPTP vpn connection, the vpn client will be assigned a DNS address as well as a local private address by the VPN server. But with a remote dial-in IPSec VPN connection, the vpn client will not be assigned any ip address by the VPN server. So you have to manually assign the "local" DNS server IP address to the vpn client.

When you see status "connected" shown in Smart VPN client, the vpn connection hasn't been really connected. In fact when you press the "Active" button, only one action is performed that the vpn profile is applied to Windows IPSec policy.
No vpn message is exchanged between the vpn client and the vpn router at that time. You should issue a ping to one IP address of remote vpn network to initiate the IPSec vpn connection.

So I guess there is no easy solution


0
 
LVL 5

Expert Comment

by:q2q
Comment Utility
thats a shame. Well there isnt an answer for everything.
0
 

Author Closing Comment

by:ian-pearce
Comment Utility
Did not really solved the problem, as there is no solution
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now