VPN

Hi all,

I've got two sites using m0n0wall 1.8.1 appliances. Site 2 creates an IPsec tunnel to site 1. On both networks a local DNS server is responsible for the local zone. Network clients on both networks use m0n0wall as the primary DNS service, m0n0wall forwards requests to the local DNS server where appropriate. This works pretty good.

However, the DNS forwarder on site 2 will timeout when forwarding requests to the DNS server on site 1. I can ping back and forth successfully, use dig to resolve names directly but not using the forwarder.

The system log on site 2 shows requests actually being forwarded to the DNS server on site 1 but the response does not come back. I've checked log files on both sides, there's nothing being rejected by the two firewalls. (at least there's nothing in the logs) What could I do to debug this?

Kind regards

Christian

A local stand alone DNS server, or the DNS Forwarder built into m0n0wall?

[Site 1]

A local stand alone DNS server, or the DNS Forwarder built into m0n0wall?

I've got two local standalone DNS servers. m0n0wall provides DHCP, DHCP client will use m0n0wall for DNS.

Site 1
Network 10.99.99.0/24
Gateway 10.99.99.1 (m0n0wall 1.8.1)
Zone office.example.com
DNS-Server 10.99.99.2

Site 2 (opens tunnel to site 1)
Network 10.99.100.0/24
Gateway 10.99.100.1 (m0n0wall 1.8.1)
Zone home.example.com
DNS-Server 10.99.100.4

DNS forwarder settings on site 2, 10.99.100.1

Code:

<dnsmasq>
  <domainoverrides>
    <domain>100.99.10.IN-ADDR.ARPA</domain>
    <ip>10.99.100.4</ip>
    <descr/>
  </domainoverrides>
  <domainoverrides>
    <domain>99.99.10.in-addr.arpa</domain>
    <ip>10.99.99.2</ip>
    <descr>Office internal</descr>
  </domainoverrides>
  <domainoverrides>
    <domain>home.example.com</domain>
    <ip>10.99.100.4</ip>
    <descr/>
  </domainoverrides>
  <domainoverrides>
    <domain>office.example.com</domain>
    <ip>10.99.99.2</ip>
    <descr/>
  </domainoverrides>
  <regdhcp/>
  <enable/>
</dnsmasq>

Edit:

Connecting the two sites only works when the remote tunnel interface is set to LAN. The documentation[1] says:

If you are connecting to a remote server, then WAN is your option.

However, using WAN I get this error:

Code:

Mar 10 09:23:01 racoon: ERROR: failed to begin ipsec sa negotication.
Mar 10 09:23:01 racoon: ERROR: no configuration found for 37.24.165.50.

37.24.165.50 was the current WAN interface address of site 2. Establishing the tunnel only works when the interface option is set to LAN.

[1] http://doc.m0n0.ch/handbook/ipsec-tunnels.html

I think you are mxing up several problems...  To start, use the hidden options to set your internal servers as DNS.  Ignore the m0n0wall dns forwarder...  Now you can point them at each other via the VPN tunnels...

I wasn't able to sort this out properly, so I ended up w/ a simple slave DNS zone on site 2. No need to forward DNS traffic through the VPN anymore. Thanks anyway for your help!