IPSec and Windows File Sharing
-
Hello guys, after two days of digging internet i still can't figure it out so i hope the answer is here. I have two pfsense boxes "1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009". I have two LANs 192.168.1.0/24 and 192.168.2.0/24. I have two static IP's for my WAN interfaces. I've setup the IPSec VPN reading the tutorial on the site. So far everything is OK. The connection between two boxes was established BUT (there is always BUT) Windows file sharing is NOT working no matter from Site A or Site B i'm trying to open it. The strange thing is in LAN A i have two Windows Servers (2003 and 2008) with shared folders and when i try to open shares from LAN B the only shares i can connect are these from my both servers on LAN A. Other computers are running Windows XP and i can't access their shares neither LAN A to LAN B or LAN B to LAN A. I have access on these \192.168.1.3\folder and \192.168.1.4\folder (my both servers) but when i try \192.168.1.5\folder which is XP machine - can't find it. Everything else VNC, ping, remote desktop & etc. is working perfect. The other thing is that the connection is somehow suspended or going to sleep after while. Both pfsense boxes shows that connection is established but there is no ping, vnc or any connection between two LANs. I've set keep alive host to be for LAN A addres from LAN B and vice versa still going off after while. After restarting both boxes it's working again !?
Thanks in advance guys :)
-
OK i've found the problem with no seeing shares - Windows Firewall. I've just Disabled the Windows Firewall and voila there is sharing :) But file copying is really slow 3-4MB for about 1-1.5minute.And i'm still looking for solution about hanging :) I'm guessing there is problem with keep alive option in pfsense ?
-
Not sure about the hanging, usually DPD will detect a dead tunnel and reconnect. I run IPsec in many locations and it works fine even for windows sharing.
XP and Windows Server 2003 use an older version of SMB which is not very good over VPNs or other high-latency links. It's also possible you're hitting an encryption limit on a CPU on one of those routers. If you do a transfer betwen Vista, Windows 7, or Server 2008, it usually works much faster since they all use a newer revision of the SMB protocol.
-
Thanks for your reply. If i check the status it says it's connected but it's actually not. Restarting racoon helps for bringing it back on. I have also tried something else on other remote machine. I connect mobile client using Shrew VPN client. I run pint -t xxx.xxx.xxx.xxx and it was up and running all night pinging. At the morning just about 20 minutes after i've stopped pinging the connection was dropped. Maybe there is something in common with these problems ?
-
Doesn't sound familair. I've got IPsec connections going every which way on 1.2.3 even with mobile clients and they all work fine without any manual intervention.
Is there anything in the log at all when the connections stop working? Does checking "prefer old IPsec SA" under advanced make any difference?
-
having similar problems with 2.0.
connection won't establish itself unless traffic is passing..
(pfSense-2.0-BETA3-20100624-2235), ipsec site-to-site ..to me it doesn't make problems, since everything else concerning ipsec site-to-site is fine, as long as traffic could pass.
it doesn't make the hosts unreachable, it's just initiating the tunnel the moment before traffic is passing. sometimes the first packets are very late till dropped, after then, everything is fine.. i didn't test it's "long-term" reliability for now.. -
Doesn't sound familair. I've got IPsec connections going every which way on 1.2.3 even with mobile clients and they all work fine without any manual intervention.
Is there anything in the log at all when the connections stop working? Does checking "prefer old IPsec SA" under advanced make any difference?
Can you give me some direction where to check for logs about this problem ? I've just checked prefer old IPSec SA and will test it all night. Thanks again for your replies !
-
See how that test goes and if that doesn't help, you might want to adjust some of your key lifetimes to be a bit longer, and make sure they are not set to the same value.
-
So far so good - still got tunnel and/or if it goes off just one ping or other request brings it back on which is great. Testing continue… But i still have problems with mobile client. Which values do you mean NOT to be the same ?
-
The phase 1 and phase 2 lifetimes.
-
Nope, not the same 28800 phase 1 and 86400 phase 2. Mobile client continue with hanging. More interesting is that the client is connected but no transfer. When i check the mobile client it's status is connected when i try ping - request timed out.
-
OK, after a couple of days testing vpn between the two pfsense boxes work perfect, but i still have problems with vpn client. Any ideas about that ?
-
Please help with the mobile clients… Still connection go to sleep after while... It's says it's connected to one of the pfsense boxes and it's working, but it connects to the other one and it's says it's connected and not working ?! Any ideas would be great... Thanks in advance guys....
-
OpenVPN is a more reliable mobile solution and without the limitations of the IPsec implementation. I would switch the mobile clients to OpenVPN.
-
So is it possible to have OpenVPN and IPSec running at the same time ?
-
Yes
-
Thanks for your reply. If i check the status it says it's connected but it's actually not. Restarting racoon helps for bringing it back on. I have also tried something else on other remote machine.
This is the EXACT problem I am haivng with my setup. My message is posted with the subject, "IPsec tunnel randomly drops."
There is nothing in the IPsec logs that indicates the tunnel is down, but all data stops passing. Just like yours, the tunnel shows to be up.
Kind regards,
-=Zapped=- -
Well i have this problem only with mobile clients. Site-to-site is working great. I did setup OpenVPN for mobile client now and it is working but the connection is really slow when i'm accessing files through share. ???
-
Are you using TCP or UDP for your OpenVPN tunnel? If you're using TCP, change it to UDP and see if that fixes your issue. Turning compression on can help as well. Otherwise, consider the size of the pipe you're using and what its upload speed is. I had an executive who was trying to work on a shared 3 gig file across a tunnel complain about how slow it was, which is true since he only had a 512k upload.
-
Thanks submicron UDP did solve the problem. I'm using it to access mdb file like 5mb not 3GB :) from time to time. I'm going to use this thread to ask another question - I have two pfsense boxes IPSec site-to-site and it's working ok - 192.168.1.0 and 192.168.2.0. I'm connecting OpenVPN Mobile Client(192.168.3.0) to site 1 (192.168.1.0) and it's working ok too. Can i route somehow site2 (192.168.2.0) to access OpenVPN client ?
