Problems with Cisco VPN?

Discussion in 'iPhone Tips, Help and Troubleshooting' started by CaptSaltyJack, Jul 10, 2008.

  1. CaptSaltyJack macrumors 6502

    Joined:
    Jun 28, 2007
    #1
    So I added a new Cisco (IPsec) VPN config and connected just fine, I get the blue VPN logo in the status bar at the top. But I can't surf to my company's internal web sites. It seems like the iPhone is not using our company's DNS servers. This works just fine as expected on the Mac, if I run the Cisco VPN software and connect, then my DNS server on the Mac is temporarily changed to my company's servers.

    Anyone else experience this?
     
  2. kevyg macrumors newbie

    Joined:
    Jul 29, 2007
    #2
    Yep, no DNS

    You're right on the money - it's not using the DNS servers supplied by the remote VPN server/concentrator. If I try to hit an internal server by IP address, I get there - which means the actual IPSec tunnel is up and functioning. Confirmed that in the logs on our VPN concentrator, too. But trying to get to anything by name doesn't work. Which probably makes VPN completely useless at this point.

    How does this stuff get past QA testing? Terrible. Take a lap.
     
  3. CaptSaltyJack thread starter macrumors 6502

    Joined:
    Jun 28, 2007
    #3
    Wow, pretty big screw-up. :) I'll have to report it officially to them, I'd recommend others do so too
     
  4. outz macrumors 6502

    Joined:
    Jul 17, 2007
    #4
    i noticed the dns issue this morning after purchasing and attempting to login via vpn. how lame.
     
  5. kevyg macrumors newbie

    Joined:
    Jul 29, 2007
    #5
  6. demiurgical macrumors member

    Joined:
    Jun 29, 2007
    Location:
    NYC
    #6
    I just VPN'd in from a 1st generation iPhone with 2.0 firmware. Was able to load several intranet pages w/o any problems.

    side note: I was having problem connecting to VPN at first but then I figured out you don't need your domain prior to your username and that connected me in right away.

    ~.
     
  7. svento macrumors newbie

    Joined:
    Jun 30, 2007
    #7
    I'm seeing this too. I was able to finally access my company's exchange server by finding out the ip address of it and putting it in the "server" field of the email setup.

    I also tried to manually set the dns server address in the network setup, but that didn't work. I would be fine with this solution since I don't expect my company to change dns servers too often! Anyone have any ideas why this doesn't work? (I tried delimiting the addresses with spaces and commas.)
     
  8. CaptSaltyJack thread starter macrumors 6502

    Joined:
    Jun 28, 2007
    #8
    This is still broken as of OS 3.0. Total crap.
     
  9. roderickm macrumors newbie

    Joined:
    Nov 12, 2009
    #9
    It's not lame, or terrible. If you configure the VPN Concentrator which networks you want to tunnel ("split tunneling"), then you should configure the concentrator for the domains that use your internal DNS servers ("split dns").

    Create an access list to describe the networks you wish to tunnel:
    Code:
    asa(config)# access-list VPN_SplitTunnel remark My Private Network1
    asa(config)# access-list VPN_SplitTunnel standard permit 10.1.1.0 255.255.255.0 
    asa(config)# access-list VPN_SplitTunnel remark My Private Network2
    asa(config)# access-list VPN_SplitTunnel standard permit 10.2.2.0 255.255.255.0
    ...then in your group-policy, set the policy to tunnel only the networks specified, and point to the access-list you just created:
    Code:
    asa(config)#group-policy DfltGrpPolicy attributes
    asa(config-group-policy)# split-tunnel-policy tunnelspecified
    asa(config-group-policy)# split-tunnel-network-list value VPN_SplitTunnel
    while you're still in your group-policy, specify your dns servers and the internal domains that should use them:
    Code:
    asa(config-group-policy)# dns-server value 10.1.1.1 10.2.2.2
    asa(config-group-policy)# split-dns value domain.internal anotherdomain.com
    With the above settings, when the VPN client looks up server.domain.internal or host.anotherdomain.com, it will query 10.1.1.1 and 10.2.2.2.

    I had the same problem described above on my iPhone before I set up split-dns. Even when a split-tunnel-policy is set and dns-servers are given, the iPhone will continue to use its own (3G or WiFi assigned) DNS servers that don't know your internal DNS. Add the split-dns domains to your group-policy and it will work.
     

Share This Page