Finally, an answer to a question I have had for a very long time. The DNS configuration of a Watchguard under its Network Configuration should be Internet-public DNS, e.g., 18.104.22.168/22.214.171.124 (Google) or OpenDNS or Comodo or Norton ConnectSafe et cetera. It is the trusted DHCP only, if in use, which should have local LAN DNS.
One problem this will cure very effectively, is failure of connectivity to the Watchguard-provided WebBlocker server.
Found the above information in very different words here:
Here are some important settings in the Labtech documentation.
This is specifically for Watchguard IPSec mobile user VPN, but is probably applicable in other IPSec situations also.
When setting up IPSec VPN, at least in some paradigms, the server side is set up without DNS/WINS settings, and then in the client profile, after the import, one does this in “IPsec Address Assignment”:
Local IP address (takes the IP from the local LAN)
DNS Server: <destination LAN DNS or general>
WINS Server: <destination LAN WINS or none>
Domain Name: <destination LAN-local domain>
Some notes on the destination side.
- In the Watchguard IPSec VPN configuration, the “virtual IP range” under resources, has to be a range (a) included in the DHCP distribution but (b) excluded on the DHCP server (if any) at the destination; it has to be part of the destination subnet. It is reportedly also possible to set the router up to use a new subnet for this, but this requires adding a rule in the router and is more complex.
- If there is a Windows domain controller at the destination, recommended is to set the Watchguard IPSec VPN for Active Directory authentication. In such a case, the “Group Name” has to be a Security Group in the AD of exactly the same name, case significant, as exists on the server, and any user has to be a member of that group. If a user attempts to connect who is not a member of that group, connection will occur, but RX will remain at zero bytes.