From owner-freebsd-questions Mon Jul 16 12:17:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from vorrix.com (ns1.vorrix.com [205.214.90.212]) by hub.freebsd.org (Postfix) with ESMTP id ECFE337B405 for ; Mon, 16 Jul 2001 12:17:23 -0700 (PDT) (envelope-from steffen@vorrix.com) Received: from ws001 [216.26.133.17] by vorrix.com [192.168.1.1] with SMTP (MDaemon.v3.5.7.R) for ; Fri, 13 Jul 2001 18:59:43 -0400 Message-ID: <002f01c10bef$71532c10$3e03a8c0@ws001> From: "Steffen Vorrix" To: Subject: Question regarding VPN between two MS networks Date: Fri, 13 Jul 2001 18:59:16 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-MDRemoteIP: 216.26.133.17 X-Return-Path: steffen@vorrix.com X-MDaemon-Deliver-To: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a question regarding my site to site VPN. I have two networks (A and B) with FreeBSD firewalls between them. The 'A' network is running the PDC for Network A. I would like to make the few NTServers and Workstations on network B part of the Network A Domain. I have setup the VPN and the routes, and everything is almost completely working... I say 'almost' because I can ping, map drives, printers, etc. to any machine on either side of the network. I can also copy files, etc. My problem is this: I can't seem allow the machines on Network 'B' to join the Network 'A' Domain. The machines say they can not locate the Domain Controller. I do have WINS running on network A, and all of the machines on Network B actually use the Network A's WINS server. I am pretty certain this is working, as before I made the WINS entries for the machines on Network B I couldn't see any of the machines from network A in the Neighborhood, but now they all show up. (I did not anaylze traffic, however, to make sure this is the case.) Just to be on the safe side, though, I added a 'LMHOSTS' file as per Microsoft KB Q180094. A tcpdump appears to show that the machines on network B are trying to find the domain controller by doing a broadcast packet, but I can't tell that for certain. There is definitely (of course) broadcast traffic, but it appears to get very heavy when an attempt to locate the domain controller is made. Here is the part I find the strangest. If I remove the Security Associations, but leave the tunnel itself, everything works fine. I can add the machine to the domain and everything works as expected. I can use the User Manager for Domain, Server Manger, etc. However, as soon as I turn the VPN Security Assocations back on, though, the machines on network B can not find the Domain Controller again. (User Manager stops working and logon attempts get the dreaded 'You have been logged on with cached credentials' message. I have searched through google for someone that might have the same problem, and I saw a few posts for people that had site to site VPN setup and couldn't get the domain membership to work, but none of those posts had any resolution associated with them. It would seem to me that I am having some kind of routing problem, but I don't know how to overcome it, if it is possible. Has anyone out there also run into this problem? I can certainly include all of the appropriate configurations, but since it works without the VPN SA's, I didn't as I thought it didn't have anything to do with things like firewall rules that might be too restrictive. (BTW, the FW type is 'open' right now for testing purposes.) Thanks a bunch for the help in advance. Chris Schremser steffen@vorrix.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message