Re: Fwd: Re: FreeS/WAN + static NAT + 2 machines

Re: Fwd: Re: FreeS/WAN + static NAT + 2 machines

[Walther]

hey Antony,

i got this setup work. 

these are the changes i made to my setup:

iptables -t nat -A POSTROUTING -o $EXT -s 172.16.2.121 -j SNAT --to 
<external_freeswan_ip>
iptables -t nat -A PREROUTING -i $EXT -d <external_freeswan_ip> -j DNAT 
--to 172.16.2.121
iptables -A FORWARD -p 50 -s 172.16.2.121 -j ACCEPT
iptables -A FORWARD -p 50 -d 172.16.2.121 -j ACCEPT
iptables -A FORWARD -p 51 -s 172.16.2.121 -j ACCEPT
iptables -A FORWARD -p 51 -d 172.16.2.121 -j ACCEPT
iptables -A FORWARD -s 172.16.2.121 -p udp --sport 500 -j ACCEPT
iptables -A FORWARD -d 172.16.2.121 -p udp --dport 500 -j ACCEPT

this works fine for me. i can browse the internal http, ping all 
workstations and server and check mails with Lotus Notes.

but i cannot mount any Windows or SAMBA share. do you know something about 
this???

Best Regards,
MfG.

Stefan Walther
stefan_walther@gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961
http://www.gehag-dsk.de

-------------------------------------------------------------- 
Linux/UNIX is like an Indian Tipi:
No Windows, no Gates and Apache inside.

Outgoing Mail is certified mistake-free. 
Examined by DOGMATIC infallibility system. 
Version 6.04




Antony Stone <Antony@Soft-Solutions.co.uk>
Sent by: netfilter-admin@lists.netfilter.org
23.09.2002 18:04

 
        To:     netfilter <netfilter@lists.netfilter.org>
        cc: 
        Subject:        Fwd: Re: FreeS/WAN + static NAT + 2 machines


----------  Forwarded Message  ----------

Subject: Re: FreeS/WAN + static NAT + 2 machines
Date: Mon, 23 Sep 2002 16:57:41 +0100
From: Antony Stone <Antony@Soft-Solutions.co.uk>
To: nefilter@lists.netfilter.org

On Monday 23 September 2002 4:51 pm, Walther@gehag-dsk.de wrote:
> > I'm intrigued to know what quantity of data you're trying to shovel
> > through FreeS/WAN that you find the performance of the machine a
> > limitation.   Please tell me your link bandwidth and a rough spec of 
the
> > machine/s you're using.
>
> I have a 2MBit with about 15 official IP's.

What type / speed CPU on the FreeS/WAN box ?
How much memory ?
What load average does it generate ?

I'm surprised you are experiencing performance problems with less than
2Mbits/sec through FreeS/WAN.

> i will install the testmachine on wednesday in the DMZ, and will try 
again
> with the modes. i rechecked my rules and in my test-environment it works
> now (with NAT).

What did you change ?

> i will tell you on wednesday if it works or not, coz there is no way to
> test it before this date.

Okay.

Antony.

--

Having been asked to provide a reference for this man,
I can confidently state that you will be very lucky indeed
if you can get him to work for you.

-------------------------------------------------------

Re: Fwd: Re: FreeS/WAN + static NAT + 2 machines

[Antony Stone]

On Tuesday 24 September 2002 4:28 pm, Walther@gehag-dsk.de wrote:

> hey Antony,
>
> i got this setup work.

Good.   Well done :-)    I'm glad it turned out you weren't using transport 
mode after all.

> this works fine for me. i can browse the internal http, ping all
> workstations and server and check mails with Lotus Notes.
>
> but i cannot mount any Windows or SAMBA share. do you know something about
> this???

Windows / NetBeui is a non-routable protocol.   It relies on network 
broadcasts to do its network browsing, and you cannot do network broadcasts 
beyond the local network (ie through a router or VPN link).

However, you *should* be able to mount shared drives, or connect to shared 
printers etc so long as you know the IP address of the remote machine you 
want to connect to.

If you are using a recent version of Windows, try using the IP address of the 
machine which has the shares instead of the machine name - you should find 
you can connect in the normal way.

As an alternative, or if you're using an older version of Windows, you can 
put an entry into the c:\windows\lmhosts file giving the hostname and the IP 
address, and this should allow you to set up the share in the usual way.

You won't be able to browse network resources across the VPN link, however - 
you must know where they are on the other end.

Antony.

-- 

Most people have more than the average number of legs.

Re: Fwd: Re: FreeS/WAN + static NAT + 2 machines

[Anders Fugmann]

Walther@gehag-dsk.de wrote:
> 
> but i cannot mount any Windows or SAMBA share. do you know something about 
> this???
> 
As Anthony pointed out, it proberbly because its using broadcast to 
locate machines, which cannot be routed. You can circumvent this by 
setting up a wins server on the network, and let all windows machines 
use this. A wins server is a kind of name server for the netbios 
protocol. All clients in "hybrid" or "Peer" mode will query this machine 
to get a list of available servers, and fall back on broadcast if the 
machine could not be contacted.

To make windows use a wins server you must of cource set one up. The 
samba server can easily do this. Then make sure that all clients are 
using a wins server (it should be easy to find in the network settings), 
and make sure that they run in the hybrid/H-mode.

If you are using a DHCP server for your windows clients, you can set it 
up to send these parameters automatically to the clients.

I have no experience with other DHCP server than unix dhcp3-server.
The options here are:
	option netbios-name-servers <wins-ip-address>;
	option netbios-node-type 8;

(node type 8 is the hybrid mode)

Thats it.
Anders Fugmann

P.s.
Sorry for getting a bit offtopic, but usually windoes machines are setup 
to broadcast, which is a totally waste of bandwidth and has big flaws. 
This letter may correct some of this.

Re: Fwd: Re: FreeS/WAN + static NAT + 2 machines

[Walther]

hi Antony,

i hate w******. i found out, that you can mount network-drives if there is 
the option in the network-environment enabled for "sharing files and 
printers". without this option there is at everytim the "systemerror 51". 
if you enable this option everything works fine and very fast. I like 
FreeS/WAN and I like netfilter.

THX for all your help.

Best Regards,
MfG.

Stefan Walther
stefan_walther@gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961
http://www.gehag-dsk.de

-------------------------------------------------------------- 
Linux/UNIX is like an Indian Tipi:
No Windows, no Gates and Apache inside.

Outgoing Mail is certified mistake-free. 
Examined by DOGMATIC infallibility system. 
Version 6.04




Antony Stone <Antony@Soft-Solutions.co.uk>
24.09.2002 18:57

 
        To:     Walther@gehag-dsk.de
        cc: 
        Subject:        Re: Fwd: Re: FreeS/WAN + static NAT + 2 machines


On Tuesday 24 September 2002 5:40 pm, Walther@gehag-dsk.de wrote:

> that's the problem. I tried via the ip-adresses but there was at 
evertime
> this errorcode:
>
> <--snip-->
>
> c:\net use z: \\10.16.100.62\install
> systemerror 51
>
> the remotecomputer is not available
>
> <--snip-->

Okay, in that case try putting this into your c:\windows\lmhosts file:

<quote>
10.16.100.62             servername
</quote>

That's just a single line (if the file already exists, simply add it at 
the 
end) containing the IP address, a tab (I think spaces are okay too) and 
the 
name you want to call your server - doesn't have to match the hostname if 
you 
don't want it to.

You should then be able to say:

c:\net use z: \\servername\install
The command was completed successfully.

It works for me using Windows 95/98 clients and Samba servers across a 
FreeS/WAN IPsec VPN link.


Antony.

-- 

90% of network problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

Fwd: Re: FreeS/WAN + static NAT + 2 machines

[Antony Stone]

----------  Forwarded Message  ----------

Subject: Re: FreeS/WAN + static NAT + 2 machines
Date: Mon, 23 Sep 2002 16:57:41 +0100
From: Antony Stone <Antony@Soft-Solutions.co.uk>
To: nefilter@lists.netfilter.org

On Monday 23 September 2002 4:51 pm, Walther@gehag-dsk.de wrote:
> > I'm intrigued to know what quantity of data you're trying to shovel
> > through FreeS/WAN that you find the performance of the machine a
> > limitation.   Please tell me your link bandwidth and a rough spec of the
> > machine/s you're using.
>
> I have a 2MBit with about 15 official IP's.

What type / speed CPU on the FreeS/WAN box ?
How much memory ?
What load average does it generate ?

I'm surprised you are experiencing performance problems with less than
2Mbits/sec through FreeS/WAN.

> i will install the testmachine on wednesday in the DMZ, and will try again
> with the modes. i rechecked my rules and in my test-environment it works
> now (with NAT).

What did you change ?

> i will tell you on wednesday if it works or not, coz there is no way to
> test it before this date.

Okay.

Antony.

--

Having been asked to provide a reference for this man,
I can confidently state that you will be very lucky indeed
if you can get him to work for you.

-------------------------------------------------------