4 Replies Latest reply on Apr 3, 2012 5:03 PM by danb

    Additional crypto ike client configuration pools possible?

    danb Visitor

      Hello!

      I have a customer who uses a single 3448 as the internet access router for two sister companies living in the same building.  They each have a group of mobile VPN users which need access to the networks.  We currently have them configured within one crypto ike client configuraiton pool.   However, since each company has thier own DNS server, they are running into some serious problems with name resolution for internal destinations.  Is there a way to create a duplicate crypto ike client configuraiton pool or is there a round-about way to assign a group of VPN users a different DNS server address as part of thier address assignment?

       

      Thanks!

      Dan

        • Re: Additional crypto ike client configuration pools possible?
          Employee

          Dan,

           

          I can think of one way to get around the issue you are running into and that is to manually assign a DNS server to the VPN client policy to one group of users. The other group of VPN client users can have their DNS server assigned automatically. I'm not sure which VPN client you are using, but on the Shrew VPN client, you have the capability to manually set the DNS server for the VPN client policy under the "Name Resolution" tab. You will want to disable the 'Obtain Automatically' option for DNS as well.

           

          Unfortunately, adding an additional ike client configuration pool would be difficult. The issue with this is that you would also need to create an additional crypto ike policy as well as an additional crypto map entry. This is because only a single crypto ike configuration pool can be assigned to a crypto ike policy. To add to that, there can only be one crypto ike policy with a "peer any" specified. This means that any additional crypto ike policy would need to be aware of which peer was going to connect using it.

           

          Please do not hesitate to let us know if you have any further questions.

           

          Thanks,

          Noor

          • Re: Additional crypto ike client configuration pools possible?
            danb Visitor

            Thanks Noor!

             

            I think changing the Shrew VPN client DNS address will work just fine.

            Each company also has hardware VPNs as well.  Where can I configure specific DNS settings for each of these VPN policies?

             

            Thanks,

            Dan