#1  
Old June 29th, 2013, 08:37 PM
dpchrist dpchrist is offline
Junior Member
NETGEAR Newbie
 
Join Date: May 2013
Posts: 11
dpchrist is on a distinguished road
Default FVS318G VPN and Windows XP workgroup networking

I purchased two Netgear FVS318G ProSafe 8-port Gigabit VPN Firewalls on May 23, 2013, and have updated the firmware on both to version 3.1.1-08. I plan to install them at two locations (Tracy and Pleasanton, California) and create a VPN between the two for use by Windows XP, Windows Vista, and Linux hosts.

Both firewalls are currently installed in Tracy for setup and testing:

#1 -- Router Status
Show Statistics
System Info help LAN Port help
System Name: FVS318G
Firmware Version: 3.1.1-08
MAC Address: 9c:d3:6d:0c:1a:10
IP Address: 192.168.1.1
DHCP: Enabled
IP Subnet Mask: 255.255.255.0
Broadband Configuration help
WAN Mode: Single Port
WAN State: UP
NAT: Enabled
Connection Type: Static IP
Connection State: Connected
IP Address: 184.23.143.12
Subnet Mask: 255.255.255.0
Gateway: 184.23.143.1
Primary DNS: 209.221.205.2
Secondary DNS: 209.221.205.3
MAC Address: 9c:d3:6d:0c:1a:12

#2 -- Router Status
Show Statistics
System Info help LAN Port help
System Name: FVS318G
Firmware Version: 3.1.1-08
MAC Address: 9c:d3:6d:0b:14:3b
IP Address: 192.168.2.1
DHCP: Enabled
IP Subnet Mask: 255.255.255.0
Broadband Configuration help
WAN Mode: Single Port
WAN State: UP
NAT: Enabled
Connection Type: Static IP
Connection State: Connected
IP Address: 184.23.143.15
Subnet Mask: 255.255.255.0
Gateway: 184.23.143.1
Primary DNS: 209.221.205.2
Secondary DNS: 209.221.205.3
MAC Address: 9c:d3:6d:0b:14:3d

After initial setup (no VPN), both firewalls and LAN's seemed to be working correctly (after creating hosts files on every host) -- including ping and browsing the network using Windows Explorer on Windows XP hosts.

I then added a VPN between the two firewalls:

#1 -- Edit IKE Policy
Add New VPN Policy
Operation succeeded.
Mode Config Record help General help
Do you want to use Mode Config Record? No
Select Mode Config Record:
Policy Name: tracy-pleasanton
Direction / Type: Responder
Exchange Mode: Main
Local help Remote help
Identifier Type: Local Wan IP
Identifier: 184.23.143.12
Identifier Type : Remote Wan IP
Identifier: 184.23.143.15
IKE SA Parameters help
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication Method: Pre-shared key
Pre-shared key: ******** (Key Length 8 - 49 Char)
Diffie-Hellman (DH) Group: Group 2 (1024 bit)
SA-Lifetime (sec): 28800
Enable Dead Peer Detection: No
Detection Period: 10 (Seconds)
Reconnect after failure count: 3
Extended Authentication help
XAUTH Configuration None
Authentication Type: User Database
Username:
Password:

#1 -- Edit VPN Policy
Operation succeeded.
General help
Policy Name: tracy-pleasanton
Policy Type: Auto Policy
Remote Endpoint: IP Address: 184.23.143.15
FQDN:
Enable NetBIOS? checked
Enable Keepalive: No
Ping IP Address: 0.0.0.0
Detection period: 10 (Seconds)
Reconnect after failure count: 3
Traffic Selection help
This field is not editable, because netbios is selected.
Local IP: Subnet
Remote IP: Subnet
Start IP Address: 192.168.1.0
Start IP Address: 192.168.2.0
End IP Address: 0.0.0.0
End IP Address: 0.0.0.0
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0
Manual Policy Parameters help
SPI-Incoming: (Hex, 3-8 Chars)
SPI-Outgoing: (Hex, 3-8 Chars)
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
Key-In: Key-In:
Key-Out: Key-Out:
(DES-8 Char & 3DES-24 Char)
(MD5-16 Char & SHA-1-20 Char)
Auto Policy Parameters help
SA Lifetime 3600 Seconds
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
PFS Key Group: checked DH Group 2 (1024 bit)
Select IKE Policy: tracy-pleasanton

#2 -- Edit IKE Policy
Add New VPN Policy
Operation succeeded.
Mode Config Record help General help
Do you want to use Mode Config Record? No
Select Mode Config Record:
Policy Name: pleasanton-tracy
Direction / Type: Initiator
Exchange Mode: Main
Local help Remote help
Identifier Type: Local Wan IP
Identifier: 184.23.143.15
Identifier Type : Remote Wan IP
Identifier: 184.23.143.12
IKE SA Parameters help
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication Method: Pre-shared key
Pre-shared key: ******** (Key Length 8 - 49 Char)
Diffie-Hellman (DH) Group: Group 2 (1024 bit)
SA-Lifetime (sec): 28800
Enable Dead Peer Detection: No
Detection Period: 10 (Seconds)
Reconnect after failure count: 3
Extended Authentication help
XAUTH Configuration None
Authentication Type: User database
Username:
Password:

#2 -- Edit VPN Policy
Operation succeeded.
General help
Policy Name: pleasanton-tracy
Policy Type: Auto Policy
Remote Endpoint: IP Address: 184.23.143.12
FQDN:
Enable NetBIOS? checked
Enable Keepalive: No
Ping IP Address: 0.0.0.0
Detection period: 10 (Seconds)
Reconnect after failure count: 3
Traffic Selection help
This field is not editable, because netbios is selected.
Local IP: Subnet
Remote IP: Subnet
Start IP Address: 192.168.2.0
Start IP Address: 192.168.1.0
End IP Address: 0.0.0.0
End IP Address: 0.0.0.0
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0
Manual Policy Parameters help
SPI-Incoming: (Hex, 3-8 Chars)
SPI-Outgoing: (Hex, 3-8 Chars)
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
Key-In: Key-In:
Key-Out: Key-Out:
(DES-8 Char & 3DES-24 Char)
(MD5-16 Char & SHA-1-20 Char)
Auto Policy Parameters help
SA Lifetime 3600 Seconds
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
PFS Key Group: checked DH Group 2 (1024 bit)
Select IKE Policy: pleasanton-tracy

After setting up the VPN:

#1 -- From a Windows XP host on the Tracy subnet:

a. Windows Explorer -> My Network Places -> Entire Network -> Microsoft Windows Network -> Workgroup shows hosts in both the Tracy and Pleasanton subnets. Browsing Tracy hosts works. Attempting to browse a Pleasanton host produces an error dialog:

\\host is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

The network path was not found.

b. Entering the IP address of a Pleasanton host into the Windows Explorer Address box produces different error message:

Windows cannot find '\\192.168.2.129'. Check the spelling and try again, or try searching for the item by clicking the Start button and then clicking Search.

c. ping'ing a Pleasanton host by name and by IP address works.

#2 -- From a Windows XP host on the Pleasanton subnet:

a. Windows Explorer -> My Network Places -> Entire Network -> Microsoft Windows Network -> Workgroup produces an error dialog:

Workgroup is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

The list of servers for this workgroup is not currently available.

b. ping'ing a Tracy host by name and by IP address works.

Any suggestions for how to get Windows networking working correctly in Windows Explorer -- e.g. so that Windows hosts in both subnets can correctly browse the workgroup and hosts in both subnets?

TIA,

David
Reply With Quote
  #2  
Old June 30th, 2013, 06:22 AM
jmizoguchi jmizoguchi is offline
Banned
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: FVS318G VPN and Windows XP workgroup networking

Use \\ip address

Resolving \\pc name will fail since netbios don't work we'll in tunnel


Setup lmhost editing on each PC . Also make sure firewall on each PC trust opposite LAN subnet
Reply With Quote
  #3  
Old June 30th, 2013, 10:18 AM
dpchrist dpchrist is offline
Junior Member
NETGEAR Newbie
 
Join Date: May 2013
Posts: 11
dpchrist is on a distinguished road
Default Re: FVS318G VPN and Windows XP workgroup networking

Quote:
Originally Posted by jmizoguchi View Post
Use \\ip address
Thanks for the reply. I see that you post a lot on the Netgear forums. Are you a Netgear employee?

\\ip won't fix Windows Explorer network browsing, which is expected and required for this deployment.

Quote:
Originally Posted by jmizoguchi View Post
Resolving \\pc name will fail since netbios don't work we'll in tunnel
\\pc was already (partially) working, but it won't fix Windows Explorer network browsing, which is expected and required for this deployment.

Quote:
Originally Posted by jmizoguchi View Post
Setup lmhost editing on each PC .
I created C:\WINDOWS\system32\drivers\etc\lmhosts on a Tracy subnet Windows XP host (dc8ct591) and on a Pleasanton subnet Windows XP host (dc86yxb1) and rebooted both hosts (i72600s is a Linux Samba server on the Tracy subnet):

192.168.1.38 dc8ct591 #PRE
192.168.1.72 i72600s #PRE
192.168.2.129 dc86yxb1 #PRE

Attempting to browse Workgroup on dc86yxb1 yields the same error dialog ("The list of servers for this workgroup is not currently available") and attempting to browse Dc86yxb1 on dc8ct591 yields the same error dialog ("The network path was not found"). So, lmhosts files alone does not fix the Windows Explorer network browsing problem.

Quote:
Originally Posted by jmizoguchi View Post
Also make sure firewall on each PC trust opposite LAN subnet
Turning off the Windows firewall on dc86yxb1 and dc8ct591 and rebooting both (combined with the lmhosts files, above?) fixed the Windows Explorer network browsing problems. :-)

But, turning the Windows Firewall off entirely is not a good practice. is it possible to add exceptions so that network browsing works with the VPN? Which program(s) and/or port(s)?

TIA,

David
Reply With Quote
  #4  
Old June 30th, 2013, 11:02 AM
jmizoguchi jmizoguchi is offline
Banned
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: FVS318G VPN and Windows XP workgroup networking

After you edit lmhost , restart PC and from run coins \\pc names does not bring up ?
Reply With Quote
  #5  
Old June 30th, 2013, 12:45 PM
dpchrist dpchrist is offline
Junior Member
NETGEAR Newbie
 
Join Date: May 2013
Posts: 11
dpchrist is on a distinguished road
Default Re: FVS318G VPN and Windows XP workgroup networking

Quote:
Originally Posted by jmizoguchi View Post
After you edit lmhost , restart PC and from run coins \\pc names does not bring up ?
There is no "coins" internal or external command, operable program, or batch file on my Windows XP host (?).

Using Windows Explorer, entering UNC host names in the Address box (e.g. "\\dc86yxb1") works correctly, as does entering UNC IP addresses (e.g. "\\192.168.2.129").

The current question is what program(s) and/or port(s) do I need to add as exceptions to Windows Firewall so that network browsing across the VPN works with Windows Firewall turned on?

I STFW and found a Group Policy MMC snap-in for enabling Windows Firewall logging, but the installer wants an unspecified version of .NET to install. My test machine already has .NET 2.0 SP2, .NET 3.0 SP2, and .NET 3.5 SP1, so I guessed that the MMC wants .NET 1.1. I downloaded the installer for .NET 1.1, but it crashes when I run it. So, I don't have a tool for troubleshooting the interaction between Windows Firewall and Windows Explorer.

David
Reply With Quote
  #6  
Old June 30th, 2013, 01:32 PM
jmizoguchi jmizoguchi is offline
Banned
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: FVS318G VPN and Windows XP workgroup networking

There is no ports need it in tunnel.
Reply With Quote
  #7  
Old June 30th, 2013, 03:12 PM
dpchrist dpchrist is offline
Junior Member
NETGEAR Newbie
 
Join Date: May 2013
Posts: 11
dpchrist is on a distinguished road
Default Re: FVS318G VPN and Windows XP workgroup networking

Quote:
Originally Posted by jmizoguchi View Post
There is no ports need it in tunnel.
Given the following:

1. When Windows Firewall is off, hosts on the other side of the VPN tunnel can browse the host shares.

2. When Windows Firewall is on, hosts on the other side of the VPN tunnel cannot browse the host shares.

I can only conclude that Windows Firewall is blocking some program(s) and/or port(s) that are required for browsing the shares from the other side of the VPN tunnel. The question is: what program(s) and/or port(s)? Or, how do I figure out which program(s) and/or port(s)?

David
Reply With Quote
  #8  
Old June 30th, 2013, 04:06 PM
dpchrist dpchrist is offline
Junior Member
NETGEAR Newbie
 
Join Date: May 2013
Posts: 11
dpchrist is on a distinguished road
Default Re: FVS318G VPN and Windows XP workgroup networking

Quote:
Originally Posted by dpchrist View Post
The question is: what program(s) and/or port(s)? Or, how do I figure out which program(s) and/or port(s)?
How to figure out which program/ ports:

1. Enable Windows Firewall logging of dropped packets via Start -> Settings -> Control Panel -> Windows Firewall -> Advanced tab -> Security Logging -> Settings -> Log dropped packets check box.

2. Turn on firewall.

3. Attempt to browse network shares from host on other side of VPN tunnel. Wait for browse attempt to time out and produce error dialog.

4. Go back to target host and look at the log file C:\WINDOWS\pfirewall.log. Observe that TCP packets from browsing host to target host ports 139 and 445 are being dropped.

Windows Firewall already includes an exception File and Printer Sharing that covers ports TCP 139 and TCP 445. The problem is that the default scope is the local subnet only. The solution is to modify the scope of the exceptions to include the subnets on both sides of the VPN tunnel:

1. Start -> Settings -> Control Panel -> Windows Firewall -> Exceptions tab.

2. Select File and Printer Sharing in the list and choose Edit. Observe ports TCP 139, TCP 445, UDP 137, and UDP 138.

3. Select the first port and choose Change scope. Observe default scope is My network (subnet) only.

4. Change scope to Custom list and enter 192.168.0.0/255.255.0.0 in the edit box.

5. Do the same for the other three ports.

HTH,

David
Reply With Quote
  #9  
Old June 30th, 2013, 04:51 PM
jmizoguchi jmizoguchi is offline
Banned
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: FVS318G VPN and Windows XP workgroup networking

Not trusting opposite LAN subnet in scope range if firewall defaul is only to trust local only
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 11:51 PM.