Date: Wed, 18 Jul 2001 07:12:15 -0400 From: "Steffen Vorrix" <steffen@vorrix.com> To: <freebsd-ipfw@freebsd.org> Subject: Question regarding VPN between two MS networks Message-ID: <007f01c10f7a$8142a5e0$3e03a8c0@ws001>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I originally posted this question to freebsd-questions, but I didn't get any response, so I was hoping that someone on this list might be able to tell me what is happening... I have a question regarding my site to site VPN. I have two networks (A and B) with FreeBSD firewalls between them. The 'A' network is running the PDC for Network A. I would like to make the few NTServers and Workstations on network B part of the Network A Domain. I have setup the VPN and the routes, and everything is almost completely working... I say 'almost' because I can ping, map drives, printers, etc. to any machine on either side of the network. I can also copy files, etc. My problem is this: I can't seem allow the machines on Network 'B' to join the Network 'A' Domain. The machines say they can not locate the Domain Controller. I do have WINS running on network A, and all of the machines on Network B actually use the Network A's WINS server. I am pretty certain this is working, as before I made the WINS entries for the machines on Network B I couldn't see any of the machines from network A in the Neighborhood, but now they all show up. (I did not analyze traffic, however, to make sure this is the case.) Just to be on the safe side, though, I added a 'LMHOSTS' file as per Microsoft KB Q180094. A tcpdump appears to show that the machines on network B are trying to find the domain controller by doing a broadcast packet, but I can't tell that for certain. There is definitely (of course) broadcast traffic, but it appears to get very heavy when an attempt to locate the domain controller is made. Here is the part I find the strangest. If I remove the Security Associations, but leave the tunnel itself, everything works fine. I can add the machine to the domain and everything works as expected. I can use the User Manager for Domain, Server Manger, etc. However, as soon as I turn the VPN Security Associations back on, though, the machines on network B can not find the Domain Controller again. (User Manager stops working and logon attempts get the dreaded 'You have been logged on with cached credentials' message. I have searched through google for someone that might have the same problem, and I saw a few posts for people that had site to site VPN setup and couldn't get the domain membership to work, but none of those posts had any resolution associated with them. It would seem to me that I am having some kind of routing/blocking problem, but I don't know how to overcome it, if it is possible. It would appear to me that the VPN is not forwarding broadcast packets. However, I know that some firewalls do allow you to forward broadcast UDP packets. For example, I have done the same thing that I am attempting to setup on FreeBSD with two SonicWall firewalls, and in the setup there is a checkbox that you explicitly set to forward broadcast UPD packets and everything in that configuration works wonderfully. It would appear that the 'switch' is there just for these types of situations. Has anyone out there also run into this problem? I can certainly include all of the appropriate configurations, but since it works without the VPN SA's, I didn't as I thought it didn't have anything to do with things like firewall rules that might be too restrictive. (BTW, the FW type is 'open' right now for testing purposes.) Thanks a bunch for the help in advance. [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 5.50.4616.200" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>I originally posted this question to freebsd-questions, but I didn't get any<BR>response, so I was hoping that someone on this list might be able to </FONT></FONT></DIV> <DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>tell me what is happening...<BR><BR>I have a question regarding my site to site VPN. I have two networks (A and<BR>B) with FreeBSD firewalls between them.<BR><BR>The 'A' network is running the PDC for Network A. I would like to make the<BR>few NTServers and Workstations on network B part of the Network A Domain. I<BR>have setup the VPN and the routes, and everything is almost completely<BR>working...<BR><BR>I say 'almost' because I can ping, map drives, printers, etc. to any machine<BR>on either side of the network. I can also copy files, etc. My problem is<BR>this: I can't seem allow the machines on Network 'B' to join the Network 'A'<BR>Domain. The machines say they can not locate the Domain Controller. I do<BR>have WINS running on network A, and all of the machines on Network B<BR>actually use the Network A's WINS server. I am pretty certain this is<BR>working, as before I made the WINS entries for the machines on Network B I<BR>couldn't see any of the machines from network A in the Neighborhood, but now<BR>they all show up. (I did not analyze traffic, however, to make sure this is<BR>the case.) Just to be on the safe side, though, I added a 'LMHOSTS' file as<BR>per Microsoft KB Q180094. A tcpdump appears to show that the machines on<BR>network B are trying to find the domain controller by doing a broadcast<BR>packet, but I can't tell that for certain. There is definitely (of course)<BR>broadcast traffic, but it appears to get very heavy when an attempt to<BR>locate the domain controller is made.<BR><BR>Here is the part I find the strangest. If I remove the Security<BR>Associations, but leave the tunnel itself, everything works fine. I can add<BR>the machine to the domain and everything works as expected. I can use the<BR>User Manager for Domain, Server Manger, etc. However, as soon as I turn the<BR>VPN Security Associations back on, though, the machines on network B can not<BR>find the Domain Controller again. (User Manager stops working and logon<BR>attempts get the dreaded 'You have been logged on with cached credentials'<BR>message. I have searched through google for someone that might have the<BR>same problem, and I saw a few posts for people that had site to site VPN<BR>setup and couldn't get the domain membership to work, but none of those<BR>posts had any resolution associated with them.<BR><BR>It would seem to me that I am having some kind of routing/blocking problem,<BR>but I don't know how to overcome it, if it is possible.<BR><BR>It would appear to me that the VPN is not forwarding broadcast packets.<BR>However, I know that some firewalls do allow you to forward broadcast<BR>UDP packets. For example, I have done the same thing that I am<BR>attempting to setup on FreeBSD with two SonicWall firewalls, and in<BR>the setup there is a checkbox that you explicitly set to forward broadcast<BR>UPD packets and everything in that configuration works wonderfully. It<BR>would<BR>appear that the 'switch' is there just for these types of situations.<BR><BR>Has anyone out there also run into this problem? I can certainly include<BR>all of the appropriate configurations, but since it works without the VPN<BR>SA's, I didn't as I thought it didn't have anything to do with things like<BR>firewall rules that might be too restrictive. (BTW, the FW type is 'open'<BR>right now for testing purposes.)<BR><BR><BR>Thanks a bunch for the help in advance.</FONT><BR></DIV></FONT></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007f01c10f7a$8142a5e0$3e03a8c0>