[ previous ] [ next ] [ threads ]
 From:  "Josh McAllister" <josh at bluehornet dot com>
 To:  <tixe at tixe dot com dot ar>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSec VPN
 Date:  Fri, 14 Jan 2005 09:41:52 -0800
From: Tixe Exit [mailto:tixe at tixe dot com dot ar] 
Sent: Friday, January 14, 2005 12:22 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPSec VPN
Importance: High

I haven on one point m0n0wall, and the other point, linksys RV042, and
VPN work fine, via TCP/IP i can see the other hosts, via ping, or
Services, o http, but via netbios not, and i need that, to can use some
workstation to validate they accounts into a Windows 2000 AD server (
the linksys is the 2000 AD and behind the m0n0wall are the Wks ).

[JM>] Fortunately for you "native" NetBIOS/NetBUI is pretty much
defunct. Win2k / XP / 2003 all run just fine in a strictly IP
environment. The quickest way to start browsing between sights would be
to point your remote site clients to your AD DNS server. Though in the
long run, you'll be better off setting up a second DNS server locally,
and making it a slave so that you won't be without DNS if the tunnel
goes down. Don't be fooled by Primary / Secondary DNS in Windows, as M$
is clearly confused and will pick one arbitrarily. 

After the VPN work, i added a rule to permit the traficc from the LAN
in to the linksys end point, to m0n0wall, a rule into WAN interface, and
some rule into LAN interface, that says, permit from Linksys Subnet, any
protocol, any port, to LAN Subnet any protocol, any port, but a cant
via netbios protocol, and in to the Linksys RV042 router i mark permit
netbios packets, but into m0n0 i not see nothing to that, i'm using the
m0n0 beta.

[JM>] You should not have to add any rules to be able to pass traffic
via the IPSEC tunnel, as the incoming traffic appears on the LAN

And other little thing more, i think that is a very good option, include
into m0n0wall VPN options (ipsec, and OpenVPN) the option where say
gateway subnet IP, that permit a FDQN or Domain Name, becose if the
point have a dynamic IP, is to hard stay changin the remote IP gateway
time that it change.

[JM>] Many of us would like to see this, but AFAIK it is a limitation of
the underlying software (raccoon).


Josh McAllister