All -
After much consternation, I was successfully able to install the Cisco
3000 series VPN client on my FC2 box, with kernel 2.6.7 I had some
problems connecting at first, but that was fixed with a simple addition
to my iptables config file. Here's my current problem (and seemingly my
last hurdle to getting this to work as I need):
I'm connecting to the VPN server using NAT, as I have a firewall running
on my machine. I can get to all the internal websites with no problem;
however, when I try to ssh to a machine on the internal network, it
simply hangs. When I try to ping the same machine, it times out with
the following message:
PING: unknown host <hostname.myco.com>
Then I did a little experiement. I got the IP address of the machine
that I was attempting to connect to, re-established my VPN connection,
then attempted to ssh to the machine using the IP address. Lo and
behold, it worked, and I was able to verify that I was, in fact,
connected to the machine thru my VPN connection (the 3000 series VPN
clients/concentrators allow for split tunnelling).
SO...it seems as thought name resolution does not work with the VPN
connection enabled. In fact, I can't see (ssh, ping,...) ANY machines
while the VPN connection is active. I tried pinging
cnn.com, and that
resulted in the same "unknown host..." message. I'm a bit of a newbie
to firewall configurations, etc, so any help on getting this to work
would be appreciated. I guess using the IP address is an OK workaround
for now, but I'd rather not rely on this method.
Thanks.
-greg
This is related to another thread here in the last day. I suspect that
the VPN client you are using does not have a DNS sever configured or
does not have the correct DNS server configured.
You validated that you do have network connectivity using the IP
addresses. When you establish the VPN connection using the Cisco client
software you should end up with some kind of security policy. (I am
assuming this software is similar to Checkpoints Secure Remote). As
part of that policy is DNS information. The DNS server it points to
will resolve all your DNS queries.
If for the DNS server is incorrect or unreachable then the query will
fail.
Are you able to identify a file on your system that contains the
policy? I don't remember if Secure Remote encrypted the policy file or
not. (I always looked at the file on the firewall side)
Even in split tunnel mode with the Checkpoint software all DNS queries
went to the one defined in the security policy. It did this since there
was no way to differentiate if the request was for a name on the other
end of the VPN or not.
--
Scot L. Harris
webid(a)cfl.rr.com
In vino veritas.
[In wine there is truth.]
-- Pliny