cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Additional crypto ike client configuration pools possible?

Jump to solution

Hello!

I have a customer who uses a single 3448 as the internet access router for two sister companies living in the same building.  They each have a group of mobile VPN users which need access to the networks.  We currently have them configured within one crypto ike client configuraiton pool.   However, since each company has thier own DNS server, they are running into some serious problems with name resolution for internal destinations.  Is there a way to create a duplicate crypto ike client configuraiton pool or is there a round-about way to assign a group of VPN users a different DNS server address as part of thier address assignment?

Thanks!

Dan

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Additional crypto ike client configuration pools possible?

Jump to solution

Dan,

I can think of one way to get around the issue you are running into and that is to manually assign a DNS server to the VPN client policy to one group of users. The other group of VPN client users can have their DNS server assigned automatically. I'm not sure which VPN client you are using, but on the Shrew VPN client, you have the capability to manually set the DNS server for the VPN client policy under the "Name Resolution" tab. You will want to disable the 'Obtain Automatically' option for DNS as well.

Unfortunately, adding an additional ike client configuration pool would be difficult. The issue with this is that you would also need to create an additional crypto ike policy as well as an additional crypto map entry. This is because only a single crypto ike configuration pool can be assigned to a crypto ike policy. To add to that, there can only be one crypto ike policy with a "peer any" specified. This means that any additional crypto ike policy would need to be aware of which peer was going to connect using it.

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

View solution in original post

0 Kudos
4 Replies
Anonymous
Not applicable

Re: Additional crypto ike client configuration pools possible?

Jump to solution

Dan,

I can think of one way to get around the issue you are running into and that is to manually assign a DNS server to the VPN client policy to one group of users. The other group of VPN client users can have their DNS server assigned automatically. I'm not sure which VPN client you are using, but on the Shrew VPN client, you have the capability to manually set the DNS server for the VPN client policy under the "Name Resolution" tab. You will want to disable the 'Obtain Automatically' option for DNS as well.

Unfortunately, adding an additional ike client configuration pool would be difficult. The issue with this is that you would also need to create an additional crypto ike policy as well as an additional crypto map entry. This is because only a single crypto ike configuration pool can be assigned to a crypto ike policy. To add to that, there can only be one crypto ike policy with a "peer any" specified. This means that any additional crypto ike policy would need to be aware of which peer was going to connect using it.

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

0 Kudos
Anonymous
Not applicable

Re: Additional crypto ike client configuration pools possible?

Jump to solution

Thanks Noor!

I think changing the Shrew VPN client DNS address will work just fine.

Each company also has hardware VPNs as well.  Where can I configure specific DNS settings for each of these VPN policies?

Thanks,

Dan

Anonymous
Not applicable

Re: Additional crypto ike client configuration pools possible?

Jump to solution

Dan,

Unfortunately, AOS devices do not set DNS servers for hardware VPN tunnels as they can be with VPN clients. When VPN hardware tunnels are up, clients will use the same DNS servers they were using before the VPN tunnels were established. You would need to modify the DNS servers locally in each network to ensure that clients are using DNS servers that are aware of the private networks clients are attempting to reach.

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

Anonymous
Not applicable

Re: Additional crypto ike client configuration pools possible?

Jump to solution

Thank you Noor!