1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't access shared folders over IPSec VPN Tunnel (RVS4000)

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by jasonboardman, Jan 26, 2007.

  1. jasonboardman New Member

    I've been through tech support with Linksys, and paid support with Microsoft over this and NOTHING! No one has been able to help me.

    MY CONFIGURATION:

    Two LANs at different locations with static IP assignments like this:
    LAN1 machines : 192.168.1.x , subnet mask 255.255.255.0
    LAN2 machines : 192.168.2.x , subnet mask 255.255.255.0

    I have Bellsouth ADSL at both locations with Linksys RVS4000s.

    I have Linux servers and WinXP Pro SP2 workstations on either end,
    for this discussion let's just focus on the WinXP Pro PCs.

    With my successfully established an IPSec VPN Tunnel between LANs:
    * I can ping machines on either end by IP address
    * I can FTP between machines on either end by IP address
    * I can SSH between machines on either end by IP address
    * I can use applications like Laplink & ODBC databases on either end by IP

    MY PROBLEM:
    I cannot access ANY shared folders from one LAN to the other over the VPN connection. A shared folder that exists, and is available on LAN1 cannot be accessed on LAN2. I realize NetBIOS browsing and naming doesn't work over VPNs, but even when I try and access the share directly with the IP address as such: \\192.168.1.5\Sharename it says it cannot find the share.

    I've seen other issues like this posted out there on various forums but not one solution. I've turned off all WinXP firewalls.

    MY QUESTION(s):
    Has anyone out there successfully shared files between WinXP machines over their IPSec VPN Tunnel?
    Can anyone tell me what my problem is?

    Linksys says it's a Microsoft problem, Microsoft says it's a Linksys problem.

    What do you say?
    jasonboardman, Jan 26, 2007
    #1

  2. DocLarge Super Moderator

    Can you ping the routers?
    DocLarge, Jan 27, 2007
    #2

  3. jasonboardman New Member

    Thanks for your reply.

    Yes I can Ping the routers over the VPN, and even remotely configure them over the VPN. I swear, everything is working except windows file sharing.

    Any other ideas?
    jasonboardman, Jan 28, 2007
    #3

  4. ifican New Member

    Yes you can successfully share folder via ip across an ipsec tunnel. Though as you have found out it can be tricky. Frist and foremost attempt to just connect to the ip of the machine that you have files shared on, in your case \\192.168.1.5, if all permissions are setup correctly you will see what folders you have available. If you do not get anything then permission have not been set properly on the machine you are trying to access or windows firewall is blocking the request. If you get the access window showing the shares you can access it there, you can also access it via the run line and ip but you need to tell your machine where it is, why i do not know by here is the example. I have a backup folder on the F drive across the tunnel if i try to access any other way but the following i cannot, i get share not found. Syntax for the backup folder on the F drive is, \\192.168.100.101\backup (f) Let us know how that works out.
    ifican, Jan 29, 2007
    #4

  5. eric_stewart Super Moderator

    What you say is absolutely true and good advice! Let me explain something that I've done on my home network to make the remote access VPN thing even slicker!

    I have setup a Linux box in the DMZ on my RV042 as a DNS server (among other things). The Linux box is setup on the RV042 as its 1st (of two) DNS servers. Thus, when I QuickVPN to my home network, my DNS requests resolve to the the RV042's 1st DNS server...my Linux box since QuickVPN uses the RV042 (QuickVPN gateway) as its own 1st DNS server. This is ver handy, since I've registered the names of all my internal boxes to the DNS server. Interestingly, my domain suffix also resolves to breezy.ca As a result, when I ping "sky" for example, the DNS server appends the domain name suffix to the request and the request becomes "sky.breezy.ca" Since my DNS server is the authority for breezy.ca, the request resolves to sky's internal Ip address, 192.168.0.1, and the ping proceeds.

    This also works with NetBIOS names. ie:, with QuickVPN connected, when I put "\\netfiles" in a browser window to browse the shares on the server "netfiles", this resolves to the IP address 192.168.0.253. I don't find IP addresses hard to remember, tbh, but this is very handy. The other cool thing is that even my internal dynamic IP addresses are registered automatically with the DNS server as they obtain an IP address. This is not something I configured myself, but I'm quite pleased with this particular "auto-magic" thing. I know my daughter's computer is called "ThinkPad-T43" and I can just plug \\ThinkPad-T43 into my Windows Explorer window, confident that the DNS server will resolve it to its address-du-jour. Very kewl.

    I've also noticed that I can connect back to my QuickVPN client from boxes on the inside of my home network. This is really cool, but how does it work? Simple. When QuickVPN connects to my RV042, the RV042 creates a routing table entry for the IP address of the QuickVPN client, making the "ipsec0" interface (The QuickVPN tunnel) the next hop for the packets. For example, I've got 172.16.99.200/32 in my routing table as I write this. I put \\172.16.99.200 in a Windows Explorer window and presto!...I see the shares.

    This is actually quite simple to do, and I highly recommend that anyone who would like to roll your own DNS server check out Linux as a platform. I'm running Ubuntu Edgy Eft 6.10 with BIND9 DNS server on it. Absolutely free stuff and rock steady! You can look up some information, including useful links and a blog by yours truly, on both these subjects on my hobby website -> www.breezy.ca

    /Eric
    eric_stewart, Jan 29, 2007
    #5

  6. jasonboardman New Member

    Thanks for the reply. If you look at my original message I stated that I have tried to locate the share directly by using the format \\192.168.1.5\sharename with no luck. I have turned off the windows firewall on the machine that houses the shared folder, and on the computer that is trying to access the share. Also, if I try and access the share from a machine that resides on the same LAN (i.e. same side of the tunnel) using \\192.168.1.5\sharename it works! But on the other side of the tunnel- nothing! It seems to me, if it were a permissions/configuration problem within windows, I would have the same problem from another PC on the same LAN as well, which I do not.

    Other info: It has been suggested to me that I set the MTU size manually on both routers to 1300, which I have done but it didn't help.

    Also: I realized that it is possible that LAN1 and LAN2 might have some machines with the same 'name' (albeit different IP addresses)- could this be what's messing it up? The two machines on either end that i'm experimenting with (192.168.1.5 & 192.168.2.5) are named differently, but elsewhere on the LANs there are duplications, i.e. there is a machine called 'linuxbak' at 192.168.1.3 AND 192.168.2.3 but neither of these are being used in our "experiment".

    Any other ideas?
    jasonboardman, Jan 30, 2007
    #6

  7. DocLarge Super Moderator

    Okay,

    I'm thinking this is a microsoft problem. Check your internal DNS and see if any of your records have the wrong names/ip addresses for the host records for both machines. Although netbios and accessing sharenames isn't really at play here, bad host records might add to the confusion.

    Jay
    DocLarge, Jan 31, 2007
    #7

  8. jasonboardman New Member

    Sorry for the delay, and thanks for the responses (much more helpful than anyone at linksys or microsoft have been). We don't use an internal DNS (if I understand properly what that is exactly). I am going to go through the task of renaming all the computers on both LANs to make sure that's not causing this problem... but I really suspect (since I am trying to just access the machines using the IP address) that it won't help. I will post here when I've completed this task. Any further comments/ideas would be welcome in the mean time- including setups/configurations where people have SUCCESSFULLY mapped WinXP shares over a VPN would be great.

    thanks,
    Jason Boardman
    jasonboardman, Feb 9, 2007
    #8

  9. DocLarge Super Moderator

    No problem...

    I've successfully mapped shares between 2 WRV54G's, a wrv54g to a wrv200, wrv54g to an smcbr18vpn, wrv200/wrv54g/wrvs4400n to an rv042; the list is endless :) Many of us do it all the time....

    If you can ping both routers on both sides of the tunnels to include the network nodes, the routers have done their jobs (everyone is "talking"); the chances are that the problem may be a combination of Linux and microsoft so to speak.

    You've stated that you don't run internal DNS servers. Are you running a workgroup (computers not belonging to a common structure)? Name resolution is a staple in any environment to ensure requests are routed properly to the right host. Now, barring not using an active directory structure, using the ip address of a machine to accept incoming connections will suffice provided you have some sort of internal resolution process in place (dns server, wins server); that last statement was of an opionated nature :). Seriously, having an internal DNS structure works in your favor for internal name resolution.

    As far as shares, this is (to me) definitely a microsoft setting issue. If you are in a workgroup structure, you need to make sure that the "same" local group has the "same" user accounts associated with it in order to allow remote access, otherwise, when your remote users try to connect, the computer will not recognize the user. In a domain structure, having a designated group located on each node you want to allow remote access is the way to go. Here's an example:

    --------------------------------------------------------------------------
    ONCE YOU GET CONNECTED:

    Once you’ve made the vpn connection and you want to connect to a shared resource that you have rights to from a remote location, on the "client" (requesting) computer, open up windows explorer and click on "tools," then “map a network drive.” After clicking on that, choose a drive letter and type the ip address of a computer you have rights to on that network. You would type the following: \\192.168.1.10\sharename

    Where you see sharename would be where you would substitute the name of a folder you have share permissions to access (i.e., \\192.168.1.10\vpn). Make sure the proper user accounts and/or group has "share" and "security" access on the drive and the folder you want them to access remotely.

    Before you click finish, click on “connect as different user” because in order to connect, that local machine needs to have a "username and password" created on it so it recognizes who you are. When you click this link, you’ll be asked to type in a username and password that has local access rights on that computer (if in a workgroup) or via a domain user account if active directory is running. Click O.K., then click finish. The shared resource should pop up if the account you’re connecting to has the permissions set properly in the aforementioned places.

    Recap: If you are part of a workgroup, you'll need to create the "same" user account on "each" computer in order to access the machine remotely. If you are part of a domain, make sure that your "domain user account" is part of a "domain group" that each network workstation/server's local group accounts will recognize based on active directories "single sign on" functionality.

    -------------------------------------------------------------------------


    Jay
    DocLarge, Feb 9, 2007
    #9

  10. jasonboardman New Member

    Ah! Thank you for the wealth of information! I am going to start down the road of configuring users and trying this. I haven't set up other users on any of the machines hosting the shares, because I haven't needed to before while on the same LAN, and I just thought that it would work the same way over the VPN.

    For instance, if all the machines on LAN1 are configured as being on the workgroup "WORKGROUP", I can share a folder on PC1 and access it from any other PC on LAN1- without setting up user accounts on PC1 for any of the users trying to access the share and it works fine. I simply go to network places and it's there to be accessed. I assumed that once LAN1 and LAN2 were connected via VPN that we were all essentially on the same LAN and it would work the same way.

    (I just turned on the 'Guest' account on both WinXP machines to see if that took care of the problem and it hasn't)

    Does this make sense? Can you explain to me what the difference is?

    I can't thank you enough. I'm learning volumes from this thread.

    Jason
    jasonboardman, Feb 9, 2007
    #10

  11. vangoogle Guest

    I am having the exact same problem as OP but am using 2 Draytek routers. Have you managed to fix the problem at all? I even have a VOIP phone on network 2 that connects via VPN to commander phone system on network 1 working fine.
    But no file sharing. when using \\192. etc it doesnt even seem to go anywhere??
    Any ideas greatly appreciated.
    vangoogle, Feb 14, 2007
    #11

  12. DocLarge Super Moderator

    You might want to go to dslreports.com and ask this question in the draytek forum...

    Jay
    DocLarge, Feb 14, 2007
    #12

  13. jasonboardman New Member

    #%@$!

    It really seems like this shouldn't be so difficult. I lay before you the results of my most recent experiment: to rule out naming conflicts / linux conflicts / what have you, I had all the PCs on both LANs (including the linux servers) shut down, except two: one XP PC on either LAN. I power cycled the router on both ends. Checked that each PC was named differently and on the same workgroup. Created a user named "jason", with administrator privledges, on both machines. logged in as "jason" on one, tried to map a drive (using the IP address) to the shared folder on the other (clicking log in as different user, supplying "jason" and password) still nothing. It could not locate the shared folder!!! I even tried (using Laplink over the VPN i might add) to map a share going in the other direction with the same result. I had the windows firewall turned off on both machines.

    Could this be an issue with the RVS4000? It doesn't seem like it should be as everything else over the VPN is working great. But I have to, have to, have to access a shared folder for one of the things we must use in our business. what can I do? Any other ideas?

    Jason, the exasperated; nee exhausted.
    jasonboardman, Feb 15, 2007
    #13

  14. jasonboardman New Member

    One other thought. The firmware on both routers is 1.0.11. I noticed the latest version on Linksys' site is 1.0.15. It seems unlikely, but do you think upgrading to the newer firmware version will help??

    Jason
    jasonboardman, Feb 15, 2007
    #14

  15. jppowers14075 New Member

    RVS4000 Firmware v1.0.15 Release Note

    Issues Fixed:

    1. Allowed Winodws Explorer to search computers by Names over gateway-to-gateway IPSec tunnel. Users would need to enable NetBIOS Broadcast in the advanced section of the IPSec VPN page.

    2. Improved the peak UDP throughput to 600Mbps.

    3. Improved the response time of pinging the router.




    But dont count on it, I could not find the "NetBIOS Broadcast in the advanced section of the IPSec VPN page" setting.

    I have this unit on a shelf for other reasons, it REALLY is not ready for prime time.

    Joe Powers
    jppowers14075, Feb 16, 2007
    #15

  16. tony4d New Member

    Looks like the new beta firmware will do the trick:

    http://www.linksysinfo.org/forums/showthread.php?t=51479

    I installed the beta firmware just now. On the "IPSec VPN" tab, if I click the "Advanced +" button at the bottom of the page, there is an option there for "NetBios Broadcast".
    tony4d, Feb 16, 2007
    #16

  17. pablito LI Guru

    I would suggest hiring someone to set up the networks. You'll save yourself hours of head banging and maybe some security issues. I don't know this router but if a VPN is up properly then Win traffic is no different than other traffic. Netbios isn't needed over the VPN to share folders.
    pablito, Feb 16, 2007
    #17

  18. jasonboardman New Member

    I can't believe it. I almost don't believe it. I upgraded both routers' firmware from v1.0.11 to v1.0.15 and now file sharing works. Same settings, same configs, I just don't believe it. (I didn't enable NetBIOS broadcast - and I'm still accessing shares using the IP which is just fine.)

    Thank you everyone for your help!

    I am donating to linksysinfo right now.

    Jason
    jasonboardman, Feb 17, 2007
    #18

  19. ny7fire New Member

    Folder sharing doesn't work wiht firewall turned on (WRVS4400N)

    I use the WRVS4400N (V1.00.15) for setting up VPN. I use the 'VPN Client Accounts' for setting up VPN accounts. And then I connect with the LinkSys VPN Client 1.2.5 from a Windows XP Pro SP2 PC. Everything works great except for accessing shared folders.

    I try to access shared folders on Vista Ultimate PCs. This is with the Windows Firewall turned on. When I turn the firewall off on the Vista PCs (where the shared folders are), I can access the shared folders perfectly.

    Any idea of what I have to configure in the server firewall (on the Vista PCs) to make this work?

    I have turned on File And Printer sharing. Sharing work fine between the Vista PC's with the firewalls turned on. But through VPN I can't make it work with the firewalls turned on.
    ny7fire, Aug 10, 2007
    #19

  20. DocLarge Super Moderator

    You'll need to have the firewall open up and possibly allow ports 500 and 443 through to your computer, as a start.

    If you're on an XP/2003 box, go to start, control panel, windows firewall, and from there you should be able to make the adjustments. If you have any problems, post back :)

    Jay
    DocLarge, Aug 10, 2007
    #20

  21. ny7fire New Member

    Tried to open up TCP ports 443 and 500 on the server side, but file shares are still unavailable. Still when I turn the firewall off, it works perfectly.
    ny7fire, Aug 13, 2007
    #21

  22. DocLarge Super Moderator

    There's no need to open up any ports; the router is already configured by defalut to allow TCP 443 and UDP 500. You're most likely going to need to go into the windows firewall setup and configure settings to "permit" quickvpn through. Right now, your default firewall settings are probably set on default to "deny" certain incoming packets (outside of port 80 internet traffic).

    Jay
    DocLarge, Aug 13, 2007
    #22

  23. ny7fire New Member

    It's not the router firewall I'm talking about, that's fine. The problem is the windows firewall on the server side with the shared folders. The client running the Qucik VPN client software is also fine.

    The problem is therefore the windows firewall on the server connected to the router. When this windows firewall is turned off, everything works perfectly, but when turned on, browsing file shares from the client doesn't work. So something in the windows firewall on the server where the file shares are must be configured. Didn't work opening ports 443 and 500.
    ny7fire, Aug 13, 2007
    #23

  24. ny7fire New Member

    Found the answer:
    Port 445 TCP must be opened up on the server sharing the files.
    TCP port 445 is used for SMB (Server Message Block) over TCP.
    ny7fire, Aug 15, 2007
    #24

Share This Page