ZyXel USG50 VPN File Sharing Problem
This is a follow-up to this question:
https://www.experts-exchange.com/questions/28062522/ZyXel-USG50-VPN-Questions.html
So, the ZyXel folks helped me get this working. I have the USG set as a VPN Server and it's using L2TP to connect the Windows 7 clients. Something I wasn't expecting, using it this way, when the remote clients connect, they lose Internet connectivity. To fix that, they created a trunk so that the remote clients keep Internet connectivity THROUGH the remote system while the VPN is connected.
At this point, the tunnel is staying up and passing traffic; for example, I can PING the server on the main system from the remote clients, I can connect to the IIS default web page that is running on the server. But what I CANNOT do is access any of the server shares, files, etc. Doing a \\servername\share name or a \\192.168.1.200\share name results in a network path not found. Here is the response from ZyXel level 2 support:
I looked over your USG50 configuration and there is nothing configured incorrectly. I can see we are able to pass multiple types of traffic over the VPN which if there were any issues with its configuration, we would not be able to pass any traffic over it. We can also see from the packet captures that the samba traffic is passing through the VPN and being sent to the server at 192.168.1.200. But the server never responds to that traffic. This shows us that there is a configuration issue with that particular application on the server. I would recommend checking the servers firewall settings for port 445.
While we were testing, I disabled Symantec Endpoint Protection, which also is controlling Windows Firewall, but that didn't help. I'm not sure that disabling SEP actually drops the firewall either. I can't think of anything else on this Server 2003 R2 machine that could prevent file sharing traffic. Any ideas on where to start?
https://www.experts-exchange.com/questions/28062522/ZyXel-USG50-VPN-Questions.html
So, the ZyXel folks helped me get this working. I have the USG set as a VPN Server and it's using L2TP to connect the Windows 7 clients. Something I wasn't expecting, using it this way, when the remote clients connect, they lose Internet connectivity. To fix that, they created a trunk so that the remote clients keep Internet connectivity THROUGH the remote system while the VPN is connected.
At this point, the tunnel is staying up and passing traffic; for example, I can PING the server on the main system from the remote clients, I can connect to the IIS default web page that is running on the server. But what I CANNOT do is access any of the server shares, files, etc. Doing a \\servername\share name or a \\192.168.1.200\share name results in a network path not found. Here is the response from ZyXel level 2 support:
I looked over your USG50 configuration and there is nothing configured incorrectly. I can see we are able to pass multiple types of traffic over the VPN which if there were any issues with its configuration, we would not be able to pass any traffic over it. We can also see from the packet captures that the samba traffic is passing through the VPN and being sent to the server at 192.168.1.200. But the server never responds to that traffic. This shows us that there is a configuration issue with that particular application on the server. I would recommend checking the servers firewall settings for port 445.
While we were testing, I disabled Symantec Endpoint Protection, which also is controlling Windows Firewall, but that didn't help. I'm not sure that disabling SEP actually drops the firewall either. I can't think of anything else on this Server 2003 R2 machine that could prevent file sharing traffic. Any ideas on where to start?
Rob Williams
Generally when you enable a service the Windows firewall automatically configures an exception, however that exception only allows access from the local LAN or domain. Most often you have to disable the firewall, or better still add the remote subnet (used by VPN clients) to the exception. This does sound more like a firewall issue than a VPN problem
ASKER
I suppose I'd have to make this entry in the Symantec SEP firewall? The local subnet is 192.168.1.x; the VPN clients get addresses in the 192.168.20.x subnet. Can you give me some guidance on what this exception/rule would look like? Seems like I would need to open all traffic between those two subnets? Any help appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I've gone a completely separate way with this install, so I am closing this question.