Topic: VPN fun with freeswan

[Max]

I downloaded and installed the dmc-mitel-freeswan-0.4-12.noarch.rpm availible at http://myezserver.com/downloads/mitel/contrib/freeswan-0.4/freeswan-howto.html onto two SME ver 5.1.2 servers on two seperate internet connections. I am playing around with it and have had some success so far. I am connecting a 192.168.0.x network to a 192.168.1.x network over the internet.

My question is: what kind of connectivity should this provide? because I can ping the remote SME server from behind my local SME server as if the remote server were local, but I cannot connect via any other protocol. I cannot ftp, ssh, http to the remote machine as if it were local.

From the remote server I can ping local clients here that are behind the local SME server so connectivity is working both ways, but only at the ICMP level.

[ryan]

Do you have local networks defined on each SME?  How about name resolution?  Netbios broadcasts will not pass a router.  I use SME servers to link 3 locations and have no problem with ssh or html from a Win2k laptop at site A to SME at B or C.  

Good Luck

RS

[Max]

Yes I have tried defining the remote networks as local for each server and still the clients cannot see shares on the remote servers. Let me make the setup a little more clear just in case. I have installed and configured freeswan on 2 SME servers that are connected across the internet.

I was under the impression that once these two gateways were setup and configured, there would be no need for any configuration on the clients behind the gateways, is that correct? I can ping from the clients behind the gateways to each other without any extra setup.

(client network) [gateway]
my setup:

(192.168.0.x) -> [192.168.0.1/internet IP] -> <- [internetIP/192.168.1.1] <- (192.168.1.x)

and the two [gateways] are the ones with freeswan installed... they can ping back and forth as if local, and clients behind them can ping back and forth as if everyone was local... but nothing higher level seems to work.

[Guck Puppy]

And when you open a windows explorer window and type :

\some-remote-network-windows-machine-ip\

from the local network, (and assuming that file and printer sharing is enabled on the remote windows machine) what happens?

and vice versa?

G

PS. For assistance in seeing things remotely from a remote windows machine and back again (etc, etc) might I mention http://www.radmin.com/ as a very capable VNC-like tool.

[Max]

everything besides ping times out.
here is a good example... if I log into one of the SME servers and do ping 192.168.1.1 (from 192.168.1.1) then it pings away happily... if I do "lynx 192.168.1.1" it never gets a connection to port 80.

Back on Monday thanks for all the help so far.

[Lloyd Keen]

After you have setup the tunnels and added the local networks in the manager go back into the IPSec VPN section and click on the modify radio button (no need to actually modify anything). Apparently this restarts masq allowing the remote network to pass through the firewall. You must do this on both sites AFTER the tunnels and local networks are setup.

[Michael Smith]

Well, I've read that before, and just tried it again with a working tunnel that spans half a continent ... but it doesn't seem to work.  The main objective of the VPN -- access to a SCO box behind one of the SME boxes -- works great, as does remote printing back to the other network.  Win2K or XP boxes can map & use shares by \{IP}\{sharename} but Win9x boxes canNOT.  I've tried entries in the HOSTS file, in LMHOSTS, making workgroup names the same, I've tried telling boxes on both sides of the network to use an NT box as a WINS server, no dice.  I haven't managed to get too far into WINS & replication issues but I suspect something along those lines might get me where I wish to go.

I haven't had the nerve to update to 5.5, even though I understand that FreeS/WAN goes to 1.97, nor have I tried to manually update to the latest ... the VPN is working and I'm happy for that.

Any "heavy hitters" out there care to comment?  Has ANYONE successfully done any sort of Windows fileshare & printer use over this sort of VPN?

[ryan]

Micheal,

I have 3 locations linked by 3 SME 5.1.2 servers.  All clients are NT4 and win2k.  All behave as if all are on the same local network.  I have a WINS (NT4) at each location, with replication set up.  All clients use the WINS server at their location.  All clients connect to a Exchange 5.5 server using its netbios name.  I have not found anything that does not work except for using netbios broadcasts which won't cross a router anyway.  IPSEC VPN has been reliable.  Ping responses between sites is typically around 30ns.

good luck

ryan

[Max]

Thank you all for the help so far.

So it sounds like I should be able to have pretty much all the connectivity I get over a VPN that I could get via NAT? web, ftp, ping, etc. (plus I have a VPN)
but NetBIOS will not travel, so no calling computers by their windows names, and no windows file sharing?

If someone could just verify this, that would be great.

Thanks,

Max

[ryan]

If you have all Win2k, XP systems, you will have to use either DNS or WINS for name resolution.  If any NT or 9x systems, you have to use WINS.  WINS servers set up at each location that replicate will allow all clients to communicate with any other client (if your routing is correct of course).    Netbios name to IP address can be resolved without DNS or WINS by using 'broadcast' which is enabled by default if you don't use DNS or WINS.  Broadcast messages will not cross a router or a bridge.

SME server includes a WINS server if it is the domain controller.  It will set it up automatically on client computers if you use SME DHCP.  I don't know if SME WINS servers can be set up or will replicate with other SME servers that exist on networks defined in local networs in server manager?  Anyone know if this is possible?  

ryan