From: Bill Czagas (wczagas_at_cfl.rr.com)
Date: Sun Sep 22 2002 - 03:56:38 CEST
If you are using an actual windows domain (Not a workgroup...) Then consult
the following
Windows sites about kerberos authentication and IPSec tunnels.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q253169
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q254949&
Basically a version
of windows IPSec allows distribution of key info by kerberos, therefore they
can't
send kerberos traffic down a VPN tunnel. (Much like IKE travels outside a
tunnel...)
So in their infinite wisdom, they decide that all UDP/TCP traffic on port 88
would not
pass down an IPSec tunnel. The problem is that all windows authentication
traffic uses
kerberos. So you can't authenticate a windows domain client through a
windows IPSec
tunnel. Microsoft offers no solution, but I found the following registry
entry from a
non-microsquish site which works for win 2k:
HKLM\SYSTEM\CurrentControlSet\Services\IPSec\NoDefaultExempt
This key needs to be added to the registry as a DWORD value. It can be set
to 0 or 1 in Windows 2000, or 0,1, or 2 in Windows XP:
0 = default exemptions are still active
1 = disable the exemption for RSVP and Kerberos
2 = disable the exemption for broadcast and multicast (Windows XP only!)
I don't know if there is one for NT. To be sure you are using a domain,
check your
'Network Identification'. Under properties you will have domain checked if
you are
part of a windows domain. You will need to put in the address of your
domain
controller under your wins server list for your tcp/ip properties, or put it
in you lmhosts
file.
None of this applies to the old fashioned workgroups, which in theory should
work fine through IPSec as long as you know who your wins servers are, and
you have the 'netbios over tcp checked'. I say in theory, since I never got
it
functioning as advertised, but I was using Samba. I have never gotten a
good
explaination of the windows name resolution order, especially for remote
machines
with multiple naming services available.
-- BC ----- Original Message ----- From: "Hannes Riechmann" <hriechmann_at_web.de> To: <users_at_lists.freeswan.org> Sent: Saturday, September 21, 2002 10:08 AM Subject: [Users] Logon on NT domain over Ipsectunnel > Hey Folks > The following situation: > I managed to open a Freeswan <-> SSHSentinel Connection and i am even > able to ping the subnet and the wins server. > BUT when i want to logon on my NT Network it always fails eventhough > tcpdump(subnet) writes the following: > > 15:49:12.731096 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): OPUNKNOWN; REQUEST; UNICAST > > 15:49:12.732458 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): REGISTRATION; POSITIVE; RESPONSE; UNICAST > > 15:49:12.759822 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST > > 15:49:12.760102 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST > > 15:49:12.787050 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST > > 15:49:12.787281 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST > > 15:49:12.807327 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): OPUNKNOWN; REQUEST; UNICAST > > 15:49:12.808363 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): REGISTRATION; POSITIVE; RESPONSE; UNICAST > > 15:49:12.826011 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST > > 15:49:12.826229 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST > > 15:49:12.845320 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): OPUNKNOWN; REQUEST; UNICAST > > 15:49:12.846607 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): REGISTRATION; POSITIVE; RESPONSE; UNICAST > > 15:49:12.861992 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST > > 15:49:12.862206 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST > > 15:49:12.881945 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): OPUNKNOWN; REQUEST; UNICAST > > 15:49:12.882890 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): REGISTRATION; POSITIVE; RESPONSE; UNICAST > > 15:49:12.899489 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST > > 15:49:12.899697 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST > > 15:49:12.918936 192.168.40.15.netbios-ns > 192.168.50.1.netbios-ns: > >>> NBT UDP PACKET(137): OPUNKNOWN; REQUEST; UNICAST > > 15:49:12.919861 192.168.50.1.netbios-ns > 192.168.40.15.netbios-ns > >>> NBT UDP PACKET(137): REGISTRATION; POSITIVE; RESPONSE; UNICAST > > > If someone knows whats going wrong i would be pleased if you could help > me to solve my problem > bye > Hannes > > _______________________________________________ > Users mailing list > Users_at_lists.freeswan.org > http://lists.freeswan.org/mailman/listinfo/users _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Mon Sep 23 2002 - 05:20:13 CEST