[Vpn-help] Windows Shares - second try

Matthew Grooms mgrooms at shrew.net
Wed Mar 5 17:15:50 CST 2008 

scott wrote:
> I'm going from memory and a once-upon-a-time tangle with this same issue
> using the cisco vpn client.  It had something to with the way the WINS
> and local/master browsers behave.
> 
> As I recall, the LAN subnet you're trying to WINS browse on needs to
> reverse arp the asking node's IP.  This works flawlessly when you're on
> the local subnet.  If you sniff this with, say, wireshark you should see
> the "who's got" message.
> 
> The answer was to statically arp the vpn client's ip to the WINS
> subnet's lladdr, which is the de facto "gateway" path back to the asking
> WINS client.
> 
> It was something like ... ???
> 
> arp -Fs <your_vpn_ip> aa:bb:cc:dd:ee:ff:00 pub 
> 
> where aa:bb:cc:dd:ee:ff:00 is the lladdr (mac) of the gateway/subnet
> NIC.
> 
> Again, I'm going from a long-a-go-and-far-away recollection so the
> details may be off, but the tactic is, i think, correct.
> 

Scott,

Thanks for your input. I know where you are going with this and it is 
relevant when netbios name services is configured as a broadcast node 
type. You can determine which node type your adapter is configured for 
by looking at the ipconfig /all output. For example ...

Windows IP Configuration

         Host Name . . . . . . . . . . . . : elon
         Primary Dns Suffix  . . . . . . . :
         Node Type . . . . . . . . . . . . : Hybrid
         IP Routing Enabled. . . . . . . . : No
         WINS Proxy Enabled. . . . . . . . : No
         DNS Suffix Search List. . . . . . : shrew.net
                                             shrew.net

In this case, the Node Type is set to hybrid so the host will first try 
unicast netbios resolutions to a WINS server. If the lookup fails, it 
will fall back to broadcast mode. There are several different node types 
supported by WINS. Please see the following for more info ...

http://support.microsoft.com/kb/160177

In broadcast mode, you have the local browser elections and the winner 
becomes the master for your domain or workgroup. In this mode, broadcast 
UDP packets are used to perform name resolution and is only relevant 
when attempting to resolve a name for a host that is within the same 
broadcast domain. This should never be the case for remote access IPsec 
client when they are *properly* assigned a virtual IP address from a 
network that does not overlap with any private network behind the VPN 
gateway. Otherwise you get into a weird situation where broadcast 
requests are being forwarded via IPsec. In your scenario, by adding a 
static ARP entry to the master browser you fooled it into thinking the 
client was on the same physical network as itself. This allowed it to 
forward responses via L2 to the gateway and on to the IPsec client.

-Matthew

More information about the vpn-help mailing list