IPSec VPN - not using DNS server given

Discussion in 'Mac OS X Server, Xserve, and Networking' started by gopherhockey, Mar 6, 2011.

  1. macrumors regular

    gopherhockey

    Joined:
    Apr 2, 2010
    #1
    I have an IPSec VPN set up into the Cisco VPN at corporate. It logs in just fine and presents me with an IP address and a DNS address.

    The problem is, this dns address (internal to my company) is not used. So for example, if I go to an internal sharepoint site, it finds nothing.

    If I take the DNS IP and manually add it as the first entry on my regular ethernet connection, it works. However, if my computer locks out then it won't authenticate me back (now its not finding my internal directory server apparently)

    It seems like I'm presented with two routes but the necessary routing to properly use the two are not done correctly. Asked our network guys and they "don't support Macs" of course.

    My internal network is 10.2.1.X My dns is 10.2.1.3 and 10.2.1.7

    My company wants to give me 10.23.0.12 as the dns server address.

    I'm handed a 10.23.128.10 IP for the corporate VPN. (Note I have this exact same issue when using the VPN from an iphone or ipad, I have to manually add the dns server given to the front of my entries)

    Here is a bit of the routing table:


    Internet:
    Destination Gateway Flags Refs Use Netif Expire
    default 10.2.1.51 UGSc 58 0 en0
    default utun0 UCSI 5 0 utun0
    5 link#7 UC 2 0 ham0
    5.48.226.186 f6:5:6f:f7:4:44 UHLWI 0 2 lo0
    5.255.255.255 link#7 UHLWbI 2 123393 ham0
    10 10.23.128.10 UGSc 3 11 utun0
    10.2.1/24 link#4 UCS 21 0 en0
    10.2.1.2 0:15:5d:a:2:d UHLWI 1 1463074 en0 1188
    10.2.1.3 0:15:5d:1:23:3 UHLWI 38 233669 en0 1159
    10.2.1.4 0:11:32:7:86:35 UHLWI 2 21271910 en0 676
    10.2.1.5 0:11:32:6:b6:60 UHLWI 1 56386399 en0 883
    10.2.1.7 0:11:25:f6:4d:3d UHLWI 0 47090 en0 1144
    (a bunch more 10.2 addresses here...)
    10.23.128.10 10.23.128.10 UH 6 0 utun0
    10.37.129/24 link#9 UC 2 0 vnic1
    10.37.129.2 0:1c:42:0:0:9 UHLWI 0 2 lo0
    10.37.129.255 link#9 UHLWbI 4 123392 vnic1
    10.211.55/24 link#8 UC 2 0 vnic0
    10.211.55.2 0:1c:42:0:0:8 UHLWI 0 2 lo0
    10.211.55.255 link#8 UHLWbI 2 123392 vnic0
    127 127.0.0.1 UCS 0 0 lo0
    127.0.0.1 127.0.0.1 UH 4 1964021 lo0
    169.254 link#4 UCS 1 0 en0
    169.254.9.236 link#4 UHLW 2 35 en0
    172.16/12 10.23.128.10 UGSc 0 0 utun0
    192.168.0/16 10.23.128.10 UGSc 0 0 utun0
    204.89.40.42 10.2.1.51 UGHS 0 0 en0
     
  2. lifeonthedf, Mar 7, 2011
    Last edited: Mar 7, 2011

    macrumors newbie

    lifeonthedf

    Joined:
    Mar 7, 2011
    Location:
    Oregon
    #2
    IPSEC VPN - DNS Fix

    gopherhockey,

    I encountered the same issue.

    In order to fix this you need access to the firewall in my case an ASA5510.

    Assuming you have access or can request the change do the following:

    In the ASDM

    Configuration -> Remote Access VPN ->Network (Client) Access -> Group Policies

    What I did here was duplicate my current group policy in order to make this specific for mac users.

    Once this is done, edit the group policy.

    Expand Advanced and select Split Tunneling.

    If the DNS Names is checked 'Inherit', uncheck it and specify the domains.

    Example:

    DNS Names: [ ]Inherirt [example.com exmaple2.com example3.com]

    Note: domain names can be delimited by space,comma, or semicolon

    Hope this helps you out!
     
  3. thread starter macrumors regular

    gopherhockey

    Joined:
    Apr 2, 2010
    #3
    I'll pass this along to the network team - thanks for the tip, seems to make sense. I'll post up if it works.
     
  4. macrumors newbie

    Joined:
    Sep 6, 2013
    #4
    Thanks for this tip! I've implemented this here on our Cisco firewall and now both iOS and Mac OS users can easily navigate sites with hostnames. You made the day, weekend and month!
     
  5. macrumors newbie

    Joined:
    Sep 6, 2013
    #5
    I thought I was just me!

    I ended up taking my laptop to work today to test if it would work there and it did.
    When I brought it home, everything worked perfectly.
     

Share This Page