locked
issue with DNS with ipsec setup between windows server 2003 and windows xp client RRS feed

  • Question

  • Hi,

    We have a  windows 2003 server machine(with DNS server running on it) with ipsec setup using following command:-

    [Note: Server IP :10.96.16.11,Client ip :10.96.16.51,subnet mask for client:255.255.252.0,default gate way for client:10.96.16.11]

    netsh ipsec dynamic set config ipsecexempt value=1

    netsh ipsec static add policy name=IPSEC-POLICY

    netsh ipsec static add filteraction name=action-require-ipsec action=negotiate qmpfs=no soft=no

    netsh ipsec static add filteraction name=action-permit action=permit

    REM create filterlist for Non ipsec

    netsh ipsec static add filterlist name=Filter-Internal-NonIPSec

    netsh ipsec static add filter filterlist=Filter-Internal-NonIPSec description=Filter-Internal-SSL protocol=TCP srcaddr=10.96.16.0 srcmask=255.255.252.0 dstaddr=10.96.16.11 dstmask=255.255.255.255 dstport=443 mirrored=yes

    netsh ipsec static add filter filterlist=Filter-Internal-NonIPSec description=Filter-Internal-DNS protocol=UDP srcaddr= 10.96.16.0  srcmask=255.255.252.0  dstaddr= 10.96.16.11  dstmask=255.255.255.255 dstport=53 mirrored=yes
    REM create filterlist for IPSec
    netsh ipsec static add filterlist name=Filter-Internal-IPSec
    netsh ipsec static add filter filterlist=Filter-Internal-IPSec description=Filter-Internal-IPSEC protocol=ANY srcaddr=ANY dstaddr=ME mirrored=yes
    REM  adding rules
    netsh ipsec static add rule name=Internal-NonIPSEC policy=IPSEC-POLICY filterlist=Filter-Internal-NonIPSec filteraction=action-permit
    netsh ipsec static add rule name=Internal-IPSec policy=IPSEC-POLICY filterlist=Filter-Internal-IPSec filteraction=action-require-ipsec conntype=lan psk="pskkey"
    REM applying the policy
    netsh ipsec static set policy name=IPSEC-POLICY assign=yes
    The client (windows xp embedded running a policyagent service ) is not able to resolve the DNS against the server.
    It would be of great help if somebody knows about it.
    thanks

    Wednesday, January 11, 2012 6:48 PM

All replies

  • Hello 

    ( Assuming that the DNS IP is pingable from the Client)

      Please mark your DNS server IP as "10.96.16.11" and try nslookup. 

    Kindly post the output of the results of nslokup and event log if any. Also check the DNS service is in running state. 

     

    Cheers

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, January 21, 2012 3:28 PM