IPSec VPN - not using DNS server given

Discussion in 'Mac OS X Server, Xserve, and Networking' started by gopherhockey, Mar 6, 2011.

  1. macrumors regular


    Apr 2, 2010
    I have an IPSec VPN set up into the Cisco VPN at corporate. It logs in just fine and presents me with an IP address and a DNS address.

    The problem is, this dns address (internal to my company) is not used. So for example, if I go to an internal sharepoint site, it finds nothing.

    If I take the DNS IP and manually add it as the first entry on my regular ethernet connection, it works. However, if my computer locks out then it won't authenticate me back (now its not finding my internal directory server apparently)

    It seems like I'm presented with two routes but the necessary routing to properly use the two are not done correctly. Asked our network guys and they "don't support Macs" of course.

    My internal network is 10.2.1.X My dns is and

    My company wants to give me as the dns server address.

    I'm handed a IP for the corporate VPN. (Note I have this exact same issue when using the VPN from an iphone or ipad, I have to manually add the dns server given to the front of my entries)

    Here is a bit of the routing table:

    Destination Gateway Flags Refs Use Netif Expire
    default UGSc 58 0 en0
    default utun0 UCSI 5 0 utun0
    5 link#7 UC 2 0 ham0 f6:5:6f:f7:4:44 UHLWI 0 2 lo0 link#7 UHLWbI 2 123393 ham0
    10 UGSc 3 11 utun0
    10.2.1/24 link#4 UCS 21 0 en0 0:15:5d:a:2:d UHLWI 1 1463074 en0 1188 0:15:5d:1:23:3 UHLWI 38 233669 en0 1159 0:11:32:7:86:35 UHLWI 2 21271910 en0 676 0:11:32:6:b6:60 UHLWI 1 56386399 en0 883 0:11:25:f6:4d:3d UHLWI 0 47090 en0 1144
    (a bunch more 10.2 addresses here...) UH 6 0 utun0
    10.37.129/24 link#9 UC 2 0 vnic1 0:1c:42:0:0:9 UHLWI 0 2 lo0 link#9 UHLWbI 4 123392 vnic1
    10.211.55/24 link#8 UC 2 0 vnic0 0:1c:42:0:0:8 UHLWI 0 2 lo0 link#8 UHLWbI 2 123392 vnic0
    127 UCS 0 0 lo0 UH 4 1964021 lo0
    169.254 link#4 UCS 1 0 en0 link#4 UHLW 2 35 en0
    172.16/12 UGSc 0 0 utun0
    192.168.0/16 UGSc 0 0 utun0 UGHS 0 0 en0
  2. lifeonthedf, Mar 7, 2011
    Last edited: Mar 7, 2011

    macrumors newbie


    Mar 7, 2011


    I encountered the same issue.

    In order to fix this you need access to the firewall in my case an ASA5510.

    Assuming you have access or can request the change do the following:

    In the ASDM

    Configuration -> Remote Access VPN ->Network (Client) Access -> Group Policies

    What I did here was duplicate my current group policy in order to make this specific for mac users.

    Once this is done, edit the group policy.

    Expand Advanced and select Split Tunneling.

    If the DNS Names is checked 'Inherit', uncheck it and specify the domains.


    DNS Names: [ ]Inherirt [example.com exmaple2.com example3.com]

    Note: domain names can be delimited by space,comma, or semicolon

    Hope this helps you out!
  3. thread starter macrumors regular


    Apr 2, 2010
    I'll pass this along to the network team - thanks for the tip, seems to make sense. I'll post up if it works.
  4. macrumors newbie

    Sep 6, 2013
    Thanks for this tip! I've implemented this here on our Cisco firewall and now both iOS and Mac OS users can easily navigate sites with hostnames. You made the day, weekend and month!
  5. macrumors newbie

    Sep 6, 2013
    I thought I was just me!

    I ended up taking my laptop to work today to test if it would work there and it did.
    When I brought it home, everything worked perfectly.

Share This Page