[Vpn-help] Supporting SMB with native Windows Workstations via Shrew 2.1.4

Charles Buckley ceb at mauto.com
Sun Nov 8 17:45:40 CST 2009 

I have managed to set up both an SSL and an IPSec-VPN to a new Netgear
FVS336G router, the latter using both the supplied Netgear client (which
only runs on 32 bits) and Shrew 2.1.4.  This router is somewhat
disappointing in that, despite marketing claims that it would run 'anytime,
anywhere,' in fact, it only works with these two browsers, and only on a
32-bit Windows machine.  As my client must  be 64 bit, I am forced to use
the IPSec-VPN.

 

When an SSL-VPN is set up, I am able to assign the VPN virtual LAN IP
Addresses on the same class C subnet as things actually connected to the
LAN, I can browse back and forth between workstations on the LAN and VPN
with no problem.  For example, if I use 192.168.0.[0-100] for fix IP LAN
Addresses, 192.168.0.[100-150] for DHCP LAN IP Addresses, and
192.168.0.[200-220] for the range of addresses assigned to VPN clients that
connect, then I have no trouble browsing from, say 192.168.0.221 to
\\192.168.0.42\c <file:///\\192.168.0.42\c> , or from 192.168.0.221 to
\\192.168.0.42\c <file:///\\192.168.0.42\c> .  I also have no trouble
browsing to Samba servers on the same network in this manner.  I can also
place the SSL VPN clients in a separate class C subnet, such as
192.168.1.xxx, but then I must define a routing rule to 192.168.0.xxx.  This
solution is not as satisfactory, as I can only SMB browse from the VPN to
the LAN, not the other way around.  

 

If I switch to an IPSec-VPN, then I am unable to get a tunnel to set up
unless I place the VPNs in a separate class C subnet as described above.
This applies to either the Netgear IPSec VPN Client or to Shrew 2.1.4.  This
would not be a problem, as I am able to ping and web browse to addresses on
the LAN from the VPN or vice-versa, except that when the VPN is so
configured, I am only able to SMB-browse to Samba servers, not to Windows
workstations.!  The error message comes back as "no such file or directory".


 

What could be going on here?  How might I configure things differently to be
able to SMB-browse Windows clients via IPSec-VPN using the Shrew client?

 

Charles Buckley

 

By the way, when using Shrew 2.1.4, I have the following additional
problems:

1.	I am not able to use IKE Config Pull,  as I get the error message as
shown below, and the tunnel does not set up..  The usual support files are
in the attached zip. So I must set the virtual LAN and DNS addresses in the
VPN client manually.
2.	In order to get the VPN to work from the server side, I may not use
a Mode Config record on the Netgear router.  Instead, I must implement both
an IKE and VPN policy, and in the VPN policy, there must not be any address
restrictions on the remote addresses.     

When using the Netgear client, I must only observer the separate class C
subnet rule.

 

Following is the error message from when Auto-Config is configured.:

 

config loaded for site 'corp.mauto.ch'

configuring client settings ...

attached to key daemon ...

peer configured

iskamp proposal configured

esp proposal configured

client configured

local id configured

remote id configured

pre-shared key configured

bringing up tunnel ...

invalid message from gateway

tunnel disabled

detached from key daemon ...

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091109/db2f6922/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: invalidmsgfromgateway.zip
Type: application/octet-stream
Size: 7244 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091109/db2f6922/attachment-0001.obj>

More information about the vpn-help mailing list