Problems with Cisco VPN?

[CaptSaltyJack]

So I added a new Cisco (IPsec) VPN config and connected just fine, I get the blue VPN logo in the status bar at the top. But I can't surf to my company's internal web sites. It seems like the iPhone is not using our company's DNS servers. This works just fine as expected on the Mac, if I run the Cisco VPN software and connect, then my DNS server on the Mac is temporarily changed to my company's servers.

Anyone else experience this?

 

[kevyg]

Yep, no DNS

You're right on the money - it's not using the DNS servers supplied by the remote VPN server/concentrator. If I try to hit an internal server by IP address, I get there - which means the actual IPSec tunnel is up and functioning. Confirmed that in the logs on our VPN concentrator, too. But trying to get to anything by name doesn't work. Which probably makes VPN completely useless at this point.

How does this stuff get past QA testing? Terrible. Take a lap.

 

[CaptSaltyJack]

Wow, pretty big screw-up. I'll have to report it officially to them, I'd recommend others do so too

 

[outz]

i noticed the dns issue this morning after purchasing and attempting to login via vpn. how lame.

 

[kevyg]

One guy on the Apple forums says it has to do with split tunneling. Apparently, if you tunnel everything through VPN, it works. I haven't been able to replicate this myself, though - so YMMV.

http://discussions.apple.com/thread.jspa?threadID=1596178&tstart=0

 

[demiurgical]

I just VPN'd in from a 1st generation iPhone with 2.0 firmware. Was able to load several intranet pages w/o any problems.

side note: I was having problem connecting to VPN at first but then I figured out you don't need your domain prior to your username and that connected me in right away.

~.

 

[svento]

I'm seeing this too. I was able to finally access my company's exchange server by finding out the ip address of it and putting it in the "server" field of the email setup.

I also tried to manually set the dns server address in the network setup, but that didn't work. I would be fine with this solution since I don't expect my company to change dns servers too often! Anyone have any ideas why this doesn't work? (I tried delimiting the addresses with spaces and commas.)

 

[CaptSaltyJack]

This is still broken as of OS 3.0. Total crap.

 

[roderickm]

It's not lame, or terrible. If you configure the VPN Concentrator which networks you want to tunnel ("split tunneling"), then you should configure the concentrator for the domains that use your internal DNS servers ("split dns").

Create an access list to describe the networks you wish to tunnel:

asa(config)# access-list VPN_SplitTunnel remark My Private Network1
asa(config)# access-list VPN_SplitTunnel standard permit 10.1.1.0 255.255.255.0 
asa(config)# access-list VPN_SplitTunnel remark My Private Network2
asa(config)# access-list VPN_SplitTunnel standard permit 10.2.2.0 255.255.255.0

...then in your group-policy, set the policy to tunnel only the networks specified, and point to the access-list you just created:

asa(config)#group-policy DfltGrpPolicy attributes
asa(config-group-policy)# split-tunnel-policy tunnelspecified
asa(config-group-policy)# split-tunnel-network-list value VPN_SplitTunnel

while you're still in your group-policy, specify your dns servers and the internal domains that should use them:

asa(config-group-policy)# dns-server value 10.1.1.1 10.2.2.2
asa(config-group-policy)# split-dns value domain.internal anotherdomain.com

With the above settings, when the VPN client looks up server.domain.internal or host.anotherdomain.com, it will query 10.1.1.1 and 10.2.2.2.

I had the same problem described above on my iPhone before I set up split-dns. Even when a split-tunnel-policy is set and dns-servers are given, the iPhone will continue to use its own (3G or WiFi assigned) DNS servers that don't know your internal DNS. Add the split-dns domains to your group-policy and it will work.