Date: Wed, 18 Jul 2001 07:12:15 -0400 From: "Steffen Vorrix" <steffen@vorrix.com> To: <freebsd-ipfw@freebsd.org> Subject: Question regarding VPN between two MS networks Message-ID: <007f01c10f7a$8142a5e0$3e03a8c0@ws001>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_007C_01C10F58.F8FDDD10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I originally posted this question to freebsd-questions, but I didn't get = any response, so I was hoping that someone on this list might be able to=20 tell me what is happening... I have a question regarding my site to site VPN. I have two networks (A = and B) with FreeBSD firewalls between them. The 'A' network is running the PDC for Network A. I would like to make = the few NTServers and Workstations on network B part of the Network A = Domain. I have setup the VPN and the routes, and everything is almost completely working... I say 'almost' because I can ping, map drives, printers, etc. to any = machine on either side of the network. I can also copy files, etc. My problem = is this: I can't seem allow the machines on Network 'B' to join the Network = 'A' Domain. The machines say they can not locate the Domain Controller. I = do have WINS running on network A, and all of the machines on Network B actually use the Network A's WINS server. I am pretty certain this is working, as before I made the WINS entries for the machines on Network B = I couldn't see any of the machines from network A in the Neighborhood, but = now they all show up. (I did not analyze traffic, however, to make sure this = is the case.) Just to be on the safe side, though, I added a 'LMHOSTS' = file as per Microsoft KB Q180094. A tcpdump appears to show that the machines = on network B are trying to find the domain controller by doing a broadcast packet, but I can't tell that for certain. There is definitely (of = course) broadcast traffic, but it appears to get very heavy when an attempt to locate the domain controller is made. Here is the part I find the strangest. If I remove the Security Associations, but leave the tunnel itself, everything works fine. I can = add the machine to the domain and everything works as expected. I can use = the User Manager for Domain, Server Manger, etc. However, as soon as I turn = the VPN Security Associations back on, though, the machines on network B can = not find the Domain Controller again. (User Manager stops working and logon attempts get the dreaded 'You have been logged on with cached = credentials' message. I have searched through google for someone that might have the same problem, and I saw a few posts for people that had site to site VPN setup and couldn't get the domain membership to work, but none of those posts had any resolution associated with them. It would seem to me that I am having some kind of routing/blocking = problem, but I don't know how to overcome it, if it is possible. It would appear to me that the VPN is not forwarding broadcast packets. However, I know that some firewalls do allow you to forward broadcast UDP packets. For example, I have done the same thing that I am attempting to setup on FreeBSD with two SonicWall firewalls, and in the setup there is a checkbox that you explicitly set to forward = broadcast UPD packets and everything in that configuration works wonderfully. It would appear that the 'switch' is there just for these types of situations. Has anyone out there also run into this problem? I can certainly = include all of the appropriate configurations, but since it works without the = VPN SA's, I didn't as I thought it didn't have anything to do with things = like firewall rules that might be too restrictive. (BTW, the FW type is = 'open' right now for testing purposes.) Thanks a bunch for the help in advance. ------=_NextPart_000_007C_01C10F58.F8FDDD10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" = size=3D3>I originally=20 posted this question to freebsd-questions, but I didn't get = any<BR>response, so=20 I was hoping that someone on this list might be able to = </FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" = size=3D3>tell me what is=20 happening...<BR><BR>I have a question regarding my site to site = VPN. I=20 have two networks (A and<BR>B) with FreeBSD firewalls between = them.<BR><BR>The=20 'A' network is running the PDC for Network A. I would like to make = the<BR>few NTServers and Workstations on network B part of the Network A = Domain. I<BR>have setup the VPN and the routes, and everything is = almost=20 completely<BR>working...<BR><BR>I say 'almost' because I can ping, map = drives,=20 printers, etc. to any machine<BR>on either side of the network. I = can also=20 copy files, etc. My problem is<BR>this: I can't seem allow the = machines on=20 Network 'B' to join the Network 'A'<BR>Domain. The machines say = they can=20 not locate the Domain Controller. I do<BR>have WINS running on = network A,=20 and all of the machines on Network B<BR>actually use the Network A's = WINS=20 server. I am pretty certain this is<BR>working, as before I made = the WINS=20 entries for the machines on Network B I<BR>couldn't see any of the = machines from=20 network A in the Neighborhood, but now<BR>they all show up. (I did not = analyze=20 traffic, however, to make sure this is<BR>the case.) Just to be on = the=20 safe side, though, I added a 'LMHOSTS' file as<BR>per Microsoft KB=20 Q180094. A tcpdump appears to show that the machines on<BR>network = B are=20 trying to find the domain controller by doing a broadcast<BR>packet, but = I can't=20 tell that for certain. There is definitely (of = course)<BR>broadcast=20 traffic, but it appears to get very heavy when an attempt to<BR>locate = the=20 domain controller is made.<BR><BR>Here is the part I find the = strangest. =20 If I remove the Security<BR>Associations, but leave the tunnel itself,=20 everything works fine. I can add<BR>the machine to the domain and=20 everything works as expected. I can use the<BR>User Manager for = Domain,=20 Server Manger, etc. However, as soon as I turn the<BR>VPN Security = Associations back on, though, the machines on network B can not<BR>find = the=20 Domain Controller again. (User Manager stops working and = logon<BR>attempts=20 get the dreaded 'You have been logged on with cached=20 credentials'<BR>message. I have searched through google for = someone that=20 might have the<BR>same problem, and I saw a few posts for people that = had site=20 to site VPN<BR>setup and couldn't get the domain membership to work, but = none of=20 those<BR>posts had any resolution associated with them.<BR><BR>It would = seem to=20 me that I am having some kind of routing/blocking problem,<BR>but I = don't know=20 how to overcome it, if it is possible.<BR><BR>It would appear to me that = the VPN=20 is not forwarding broadcast packets.<BR>However, I know that some = firewalls do=20 allow you to forward broadcast<BR>UDP packets. For example, I have = done=20 the same thing that I am<BR>attempting to setup on FreeBSD with two = SonicWall=20 firewalls, and in<BR>the setup there is a checkbox that you explicitly = set to=20 forward broadcast<BR>UPD packets and everything in that configuration = works=20 wonderfully. It<BR>would<BR>appear that the 'switch' is there just = for=20 these types of situations.<BR><BR>Has anyone out there also run into = this=20 problem? I can certainly include<BR>all of the appropriate = configurations,=20 but since it works without the VPN<BR>SA's, I didn't as I thought it = didn't have=20 anything to do with things like<BR>firewall rules that might be too=20 restrictive. (BTW, the FW type is 'open'<BR>right now for testing=20 purposes.)<BR><BR><BR>Thanks a bunch for the help in=20 advance.</FONT><BR></DIV></FONT></BODY></HTML> ------=_NextPart_000_007C_01C10F58.F8FDDD10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007f01c10f7a$8142a5e0$3e03a8c0>