From owner-freebsd-ipfw Mon Jul 16 21:33:10 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by hub.freebsd.org (Postfix) with ESMTP id 56A0737B409 for ; Mon, 16 Jul 2001 21:33:09 -0700 (PDT) (envelope-from panis@mindspring.com) Received: from smui00.slb.mindspring.net (smui00.slb.mindspring.net [199.174.114.20]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id AAA27409 for ; Tue, 17 Jul 2001 00:33:08 -0400 (EDT) From: panis@mindspring.com Received: by smui00.slb.mindspring.net id AAA0000024893; Tue, 17 Jul 2001 00:33:08 -0400 (EDT) Date: Tue, 17 Jul 2001 00:33:08 -0400 To: freebsd-ipfw@freebsd.org Message-ID: X-Originating-IP: 165.247.19.97 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG auth eac02022 subscribe freebsd-ipfw panis@mindspring.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 18 4:12:35 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from judy.zirmed.com (mail.zirmed.com [216.26.133.17]) by hub.freebsd.org (Postfix) with ESMTP id 03FEC37B405 for ; Wed, 18 Jul 2001 04:12:27 -0700 (PDT) (envelope-from steffen@vorrix.com) Received: from WS001 ([192.168.3.62]) by judy.zirmed.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR6CCD7G; Wed, 18 Jul 2001 07:12:23 -0400 Message-ID: <007f01c10f7a$8142a5e0$3e03a8c0@ws001> From: "Steffen Vorrix" To: Subject: Question regarding VPN between two MS networks Date: Wed, 18 Jul 2001 07:12:15 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_007C_01C10F58.F8FDDD10" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_007C_01C10F58.F8FDDD10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I originally posted this question to freebsd-questions, but I didn't get = any response, so I was hoping that someone on this list might be able to=20 tell me what is happening... I have a question regarding my site to site VPN. I have two networks (A = and B) with FreeBSD firewalls between them. The 'A' network is running the PDC for Network A. I would like to make = the few NTServers and Workstations on network B part of the Network A = Domain. I have setup the VPN and the routes, and everything is almost completely working... I say 'almost' because I can ping, map drives, printers, etc. to any = machine on either side of the network. I can also copy files, etc. My problem = is this: I can't seem allow the machines on Network 'B' to join the Network = 'A' Domain. The machines say they can not locate the Domain Controller. I = do have WINS running on network A, and all of the machines on Network B actually use the Network A's WINS server. I am pretty certain this is working, as before I made the WINS entries for the machines on Network B = I couldn't see any of the machines from network A in the Neighborhood, but = now they all show up. (I did not analyze traffic, however, to make sure this = is the case.) Just to be on the safe side, though, I added a 'LMHOSTS' = file as per Microsoft KB Q180094. A tcpdump appears to show that the machines = on network B are trying to find the domain controller by doing a broadcast packet, but I can't tell that for certain. There is definitely (of = course) broadcast traffic, but it appears to get very heavy when an attempt to locate the domain controller is made. Here is the part I find the strangest. If I remove the Security Associations, but leave the tunnel itself, everything works fine. I can = add the machine to the domain and everything works as expected. I can use = the User Manager for Domain, Server Manger, etc. However, as soon as I turn = the VPN Security Associations back on, though, the machines on network B can = not find the Domain Controller again. (User Manager stops working and logon attempts get the dreaded 'You have been logged on with cached = credentials' message. I have searched through google for someone that might have the same problem, and I saw a few posts for people that had site to site VPN setup and couldn't get the domain membership to work, but none of those posts had any resolution associated with them. It would seem to me that I am having some kind of routing/blocking = problem, but I don't know how to overcome it, if it is possible. It would appear to me that the VPN is not forwarding broadcast packets. However, I know that some firewalls do allow you to forward broadcast UDP packets. For example, I have done the same thing that I am attempting to setup on FreeBSD with two SonicWall firewalls, and in the setup there is a checkbox that you explicitly set to forward = broadcast UPD packets and everything in that configuration works wonderfully. It would appear that the 'switch' is there just for these types of situations. Has anyone out there also run into this problem? I can certainly = include all of the appropriate configurations, but since it works without the = VPN SA's, I didn't as I thought it didn't have anything to do with things = like firewall rules that might be too restrictive. (BTW, the FW type is = 'open' right now for testing purposes.) Thanks a bunch for the help in advance. ------=_NextPart_000_007C_01C10F58.F8FDDD10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I originally=20 posted this question to freebsd-questions, but I didn't get = any
response, so=20 I was hoping that someone on this list might be able to =
tell me what is=20 happening...

I have a question regarding my site to site = VPN.  I=20 have two networks (A and
B) with FreeBSD firewalls between = them.

The=20 'A' network is running the PDC for Network A.  I would like to make = the
few NTServers and Workstations on network B part of the Network A = Domain.  I
have setup the VPN and the routes, and everything is = almost=20 completely
working...

I say 'almost' because I can ping, map = drives,=20 printers, etc. to any machine
on either side of the network.  I = can also=20 copy files, etc.  My problem is
this: I can't seem allow the = machines on=20 Network 'B' to join the Network 'A'
Domain.  The machines say = they can=20 not locate the Domain Controller.  I do
have WINS running on = network A,=20 and all of the machines on Network B
actually use the Network A's = WINS=20 server.  I am pretty certain this is
working, as before I made = the WINS=20 entries for the machines on Network B I
couldn't see any of the = machines from=20 network A in the Neighborhood, but now
they all show up. (I did not = analyze=20 traffic, however, to make sure this is
the case.)  Just to be on = the=20 safe side, though, I added a 'LMHOSTS' file as
per Microsoft KB=20 Q180094.  A tcpdump appears to show that the machines on
network = B are=20 trying to find the domain controller by doing a broadcast
packet, but = I can't=20 tell that for certain.  There is definitely (of = course)
broadcast=20 traffic, but it appears to get very heavy when an attempt to
locate = the=20 domain controller is made.

Here is the part I find the = strangest. =20 If I remove the Security
Associations, but leave the tunnel itself,=20 everything works fine.  I can add
the machine to the domain and=20 everything works as expected.  I can use the
User Manager for = Domain,=20 Server Manger, etc.  However, as soon as I turn the
VPN Security = Associations back on, though, the machines on network B can not
find = the=20 Domain Controller again.  (User Manager stops working and = logon
attempts=20 get the dreaded 'You have been logged on with cached=20 credentials'
message.  I have searched through google for = someone that=20 might have the
same problem, and I saw a few posts for people that = had site=20 to site VPN
setup and couldn't get the domain membership to work, but = none of=20 those
posts had any resolution associated with them.

It would = seem to=20 me that I am having some kind of routing/blocking problem,
but I = don't know=20 how to overcome it, if it is possible.

It would appear to me that = the VPN=20 is not forwarding broadcast packets.
However, I know that some = firewalls do=20 allow you to forward broadcast
UDP packets.  For example, I have = done=20 the same thing that I am
attempting to setup on FreeBSD with two = SonicWall=20 firewalls, and in
the setup there is a checkbox that you explicitly = set to=20 forward broadcast
UPD packets and everything in that configuration = works=20 wonderfully.  It
would
appear that the 'switch' is there just = for=20 these types of situations.

Has anyone out there also run into = this=20 problem?  I can certainly include
all of the appropriate = configurations,=20 but since it works without the VPN
SA's, I didn't as I thought it = didn't have=20 anything to do with things like
firewall rules that might be too=20 restrictive.  (BTW, the FW type is 'open'
right now for testing=20 purposes.)


Thanks a bunch for the help in=20 advance.
------=_NextPart_000_007C_01C10F58.F8FDDD10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message