From: James P. Kinney III (jkinney_at_localnetsolutions.com)
Date: Tue Dec 17 2002 - 18:44:30 CET
WooHoo!!!! Found the bug!!!
The correct ping method pointed me on the right path.
Without the iptables running, nothing got through. The default setting
(which I forgot to check) was deny everything. The nat table had a rule
that masqueraded everything destined for the ppp0 device. Well, that
included the ipsec+ data. So the returns were failing. I changed the nat
table :
iptables -t nat -I POSTROUTING -o ! ipsec+ -j MASQUERADE
and DELETED the original line. It's showing my samba share(s) on the
remote win2k box.
Many, many, many thanks for the help!!
On Tue, 2002-12-17 at 12:09, Cressatti, Dominique wrote:
> the only difference with my setup is that
> I specified the external IP address of my
> VPN box instead of %default route in the
> roadwarrior connection.
>
> Just to clarify do you a route going to your client
> through the IPSec device?
> How do you do your pings?
> The correct ways is: ping OtherHostIPAddress -I IPAddressOfInsideCard
>
> Dom
>
> -----Original Message-----
> From: James P. Kinney III [mailto:jkinney_at_localnetsolutions.com]
> Sent: 17 December 2002 17:02
> To: Cressatti, Dominique
> Subject: RE: [Users] SMB through tunnel
>
>
> No joy. Stopped iptables (everything set to accept). restarted ipsec on
> both ends of the tunnel. First ping shows the link is established. Later
> pings show connectivity. VPN box can't ping far end of tunnel. So no
> data _back_ from smb connection either.
>
> Route says it's there in routing tables (according to netstat -rn).
>
> On the VPN server
>
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> nat_traversal=yes
> forwardcontrol=yes
>
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> type=tunnel
> # leftupdown=ipsec _updown.x509
>
> conn roadwarrior-net
> leftsubnet=192.168.0.0/24
> also=roadwarrior
>
> conn roadwarrior
> right=%any
> left=%defaultroute
> leftcert=castle.localnetsolutions.com.pem
> auto=add
> pfs=yes
>
>
> On Tue, 2002-12-17 at 11:45, Cressatti, Dominique wrote:
> > Just for A SEC can you stop iptables and see what's
> > happening to really make sure that it isn't your
> > iptables causing the problem.
> >
> > -----Original Message-----
> > From: James P. Kinney III [mailto:jkinney_at_localnetsolutions.com]
> > Sent: 17 December 2002 16:27
> > To: Cressatti, Dominique
> > Cc: IPSEC
> > Subject: RE: [Users] SMB through tunnel
> >
> >
> > Yes. The VPN box is the default gateway for the Samba box. From the VPN
> > box, I can't ping the win2k client, yet it can ping the VPN box and any
> > other machine inside the network. I tested this with the horrible
> > firewall rule of accept anything for INPUT and FORWARD and OUTPUT to or
> > from the ipsec+ interface and then I added the same for all interfaces.
> >
> > On Tue, 2002-12-17 at 11:07, Cressatti, Dominique wrote:
> > > >> But I can't ping from the samba to the win2k machine.
> > > does the samba box has a route to your Linux VPN box?
> > > Usually I would make the VPN/firewall the default route.
> > >
> > > Dom
> > >
> > > -----Original Message-----
> > > From: James P. Kinney III [mailto:jkinney_at_localnetsolutions.com]
> > > Sent: 17 December 2002 15:44
> > > To: Cressatti, Dominique
> > > Cc: IPSEC
> > > Subject: RE: [Users] SMB through tunnel
> > >
> > >
> > > Hmmm. I get a "System error 51 has occurred." The remote computer is not
> > > available.
> > >
> > > It looks like samba is not available through the tunnel. The ping works
> > > from the win2k to the samba. But I can't ping from the samba to the
> > > win2k machine. The route seems to be only one way. There is a route
> > > listed in netstat for the win2k, but nothing gets to it.
> > >
> > > On Tue, 2002-12-17 at 10:04, Cressatti, Dominique wrote:
> > > > I've done at higher level subnet to subnet.
> > > > I think browsing can be bit tricky, even with
> > > > Windows client to windows VPN server browsing is
> > > > flacky, so I wouldn't try
> > > > Can you insteasted do something like:
> > > > net use <DriveLetter>: \\IPAddressOfSambaServer\ShareName /user:UserName
> > > >
> > > > Dom
> > > >
> > > > -----Original Message-----
> > > > From: James P. Kinney III [mailto:jkinney_at_localnetsolutions.com]
> > > > Sent: 17 December 2002 14:32
> > > > To: IPSEC
> > > > Subject: [Users] SMB through tunnel
> > > >
> > > >
> > > > I can ping from the roadwarrior Win2K through the tunnel to the gateway
> > > > and inside the private subnet. Now I'm trying to get windows browsing up
> > > > and running through the tunnel. I am explicitly allowing the passing of
> > > > port 137-8 for forwarding of smb datagrams. The Samba server inside the
> > > > private network is (supposedly) running as a WINS server. I have
> > > > specified that the WINS server IP in that of the private address for the
> > > > real Samba server. The Win2K still can't browse the workgroup. smbclient
> > > > can see the shares on the server from inside the private net (not
> > > > tunneled). I'm running out of documentation to read and it just isn't
> > > > doing what I need.
> > > >
> > > > The Samba server is set to be a PDC. All of my windows clients inside
> > > > the private net are virtual (vmware). I can't test the smbclient from
> > > > the roadwarrior linux partition as the laptop has a #*^! winmodem. (I'm
> > > > still looking for the dongle for the pc-card modem that work in Linux).
> > > >
> > > > Has someone successfully done a browse through a tunnel that would be
> > > > willing to document the step-by-step process? If it has already been
> > > > done, and I just haven't found it, could the link to it be posted
> > > > please?
> > > >
> > > > This is great technology. I'll be glad when I understand more of it.
-- James P. Kinney III \Changing the mobile computing world/ President and CEO \ one Linux user / Local Net Solutions,LLC \ at a time. / 770-493-8244 \.___________________________./ GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney_at_localnetsolutions.com> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Dec 18 2002 - 05:21:04 CET