Vyos L2TP IPSEC VPN client cant access DNS

Hi guys,
I have configured a L2TP VPN on my VyOS (1.3)
When I connect from windows client, everything is fine and I have ping of servers even can connect by RDP to internal servers but I couldn’t ping any servers name and even 8.8.8.8!

I created a DHCP scope on my DHCP servers but I think it’s not working …

set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec options disable-route-autoinstall

set vpn l2tp remote-access authentication local-users username user1 password ‘Password’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access client-ip-pool start ‘10.10.89.100’
set vpn l2tp remote-access client-ip-pool stop ‘10.10.89.120’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘secretkey’
set vpn l2tp remote-access ipsec-settings ike-lifetime ‘3600’
set vpn l2tp remote-access outside-address ‘my ext IP’

set firewall group network-group L2TP network ‘10.10.89.0/24’

set firewall name ACL-WAN-IN rule 11 action ‘accept’
set firewall name ACL-WAN-IN rule 11 protocol ‘all’
set firewall name ACL-WAN-IN rule 11 source group network-group ‘L2TP’

set firewall name ACL-WAN-IN rule 40 action ‘accept’
set firewall name ACL-WAN-IN rule 40 protocol ‘esp’
set firewall name ACL-WAN-IN rule 41 action ‘accept’
set firewall name ACL-WAN-IN rule 41 destination port ‘500’
set firewall name ACL-WAN-IN rule 41 protocol ‘udp’
set firewall name ACL-WAN-IN rule 42 action ‘accept’
set firewall name ACL-WAN-IN rule 42 destination port ‘4500’
set firewall name ACL-WAN-IN rule 42 protocol ‘udp’
set firewall name ACL-WAN-IN rule 43 action ‘accept’
set firewall name ACL-WAN-IN rule 43 destination port ‘1701’
set firewall name ACL-WAN-IN rule 43 ipsec ‘match-ipsec’
set firewall name ACL-WAN-IN rule 43 protocol ‘udp’

I also set DNS:
set vpn l2tp remote-access name-server ‘10.10.0.200’

Any ideas or recommendations would be appreciated.

Ali

Hi @Ali , did you configure NAT for network 10.10.89.0/24?
The second question, why you don’t configure any DNS servers for l2tp client?
set vpn l2tp remote-access name-server 8.8.8.8
upd:// try to configure DNS forwarding service if you define 10.10.0.200 as DNS for cliens.

set service dns forwarding listen-address 10.10.0.200
set service dns forwarding name-server 8.8.8.8

Hi @Dmitry
Thanks for reply, I used this following NAT but when I configured NAT I even don’t have ping of servers so I deleted :

set nat source rule 162 outbound-interface ‘eth1’
set nat source rule 162 source address ‘10.10.89.0/24’
set nat source rule 162 translation address masquerade

I also set
set vpn l2tp remote-access name-server ‘10.10.0.200’
set vpn l2tp remote-access name-server ‘10.10.0.201’

as dns servers I couldn’t ping anything !

I have 2 DNS servers:
dc01:10.10.0.200
dc02:10.10.0.201
I can ping just IP but I couldn’t ping dc01 or dc02!

I also use 8.8.8.8 as dns server but still same!

should I use:
set service dns forwarding listen-address 10.10.0.200

and there is no any conflicts if I want to use dns forwarding with other services that I’m using on this firewall ?

I also have these following comments on my FW:

set service dns forwarding allow-from ‘0.0.0.0/0’
set service dns forwarding allow-from ‘::/0’
set service dns forwarding cache-size ‘0’
set service dns forwarding domain google.com addnta
set service dns forwarding domain google.com recursion-desired
set service dns forwarding domain google.com server ‘xxxxxxxx’
set service dns forwarding domain google.com.au addnta
set service dns forwarding domain google.com.au recursion-desired
set service dns forwarding domain google.com.au server ‘xxxxxxx’
set service dns forwarding listen-address ‘10.10.90.1’
set service dns forwarding listen-address ‘10.10.90.254’
set service dns forwarding listen-address ‘10.10.0.1’
set service dns forwarding listen-address ‘10.10.10.254’
set service dns forwarding name-server ‘8.8.8.8’
set service dns forwarding name-server ‘8.8.4.4’
set service dns forwarding system

Regards,
Ali

Hello @Ali , could you get a traceroute to 10.10.0.200 from L2TP/IPSec client?
Did you try to check nslookup example.com from L2TP client host?