Will Not Fix it

Posted by Thoughts and Ramblings on Wednesday, December 6, 2006

I had an interesting exchange with the CIS people here at TAMU concerning their VPN. A bit of background:

  • A&M uses Cisco’s VPN client (and there concentrator too IIRC).
  • There are two modes for the VPN. The normal mode which forwards all traffic through the VPN and the “split-tunnel” mode which only forwards TAMU destined traffic through the VPN
  • Upon connecting to the VPN, the client changes your DNS server settings to those specified by the server (in both modes)

I tend to use the split-tunnel mode more often than not because I only care to get through the firewall. Now here enters the situation. Slowly, when I was off campus, I noticed that I could not reach certain websites while using VPN. They were perfectly reachable when not using VPN though. So, I tracked down the problem and reported it:

Apparently one of the “features” of Cisco’s VPN client is to change the local host’s DNS information. While this is fine when all traffic is tunneled through the VPN, it is completely foolish to do it when only TAMU traffic is forwarded.

Case in point: images.apple.com (an akamai server) Without VPN, IPs are: a932.g.akamai.net has address 81.52.248.174 a932.g.akamai.net has address 81.52.248.185

With VPN, IPs are: a932.g.akamai.net has address 165.91.254.17 a932.g.akamai.net has address 165.91.254.15

With VPN, 165.91.254.15 and 165.91.254.17 are unreachable, without it, they are.

The solution, don’t ever even think about turning on the setting to change DNS information when the user utilizes the VPN for off campus needs. It screws up too many things, and there is no good reason for it.

yet another case: www.foxnews.com Without VPN: a20.g.akamai.net has address 64.86.106.143 a20.g.akamai.net has address 64.86.106.144

With VPN: a20.g.akamai.net has address 165.91.254.17 a20.g.akamai.net has address 165.91.254.15

Later I postulated, over the phone, another possible solution. The Akamai servers sit outside the A&M firewall, and when using the split-tunnel, the user is assigned a private IP address. Perhaps they need only to allow this case of traffic through the firewall even though it is using private IP addresses.

I need to use hacks to force my computer to use the correct DNS. Granted, I know quite well how to do this, and had forgotten that I have already been doing it on my linux box for years, but this is well beyond the layman. Also, it is a pain to do. I told them that such a solution is really unacceptable. The final word on the subject. They won’t fix it How disappointing.

Now I am having a problem where the split-tunnel VPN accepts my password, but the full VPN along with the PPTP VPN reject it. The password should be the same. Who knows what they have going on in there.