Re: File Sharing over IPsec with RV220W

leif.gregory · ‎04-21-2012

Hello all,

Ultimately, the issue is that I have two RV220Ws with an IPsec VPN tunnel between them that appears to be up but that I can't seem to get folder sharing going over. Here's the background.

I originally had two Netgear FVS318s set up with a VPN tunnel and everything worked as expected. I could connect to the server at the office from a machine at home and browse the files and more importantly do nightly backups of files that had changed at the office over the VPN to the house. The problem with the FVS318s was that for wireless I had to have another device and that the WAN to LAN throughput was something like 7Mbps. Kind of limiting when you consistently get 22Mbps from the ISP.

So, I bought two Cisco RV220Ws to replace them with. I started by replacing the one at home and was able to get it going with the FVS318 at the office. The VPN was stable and I had no problem browsing the files on the server as I had already been doing. A couple weeks later I replaced the FVS318 at the office with the other RV220W and the VPN came up fine but I lost all ability to file share between the two sites. I've watched the phase 1 and 2 negotiations and they look good from both ends. Looking at the IPsec Connection Status shows IPsec SA Established. I know that the tunnel is there because I can ping various machines at the other site from either end. I've tried just about everything I can think of but I just can not get file sharing going. The other issue is that while I can ping each of the RV220Ws from either end, when I try to hit the distant end's management console through a web browser, I get the initial SSL certificate warning that I click proceed on and then it just sits there spinning trying to load the management console on the distant RV220W. With the FVS318s I could hit the distant end management consoles via browser. So, here's more detail.

Site: Home

Subnet: 192.168.1.x

Comcast Business Class Internet with a static IP

Site: Office

Subnet: 10.2.10.x

Comcast Business Class Internet with a static IP

I know the difference between my static (inbound IP) and my gateway (outbound IP)

I tried creating firewall access rules by defining services as follows:

FS-TCP: 135 - 139 TCP

FS-UDP: 135 - 139 UDP

SMB-TCP: 445 TCP

SMB-UDP: 445 UDP

Then the firewall access rules as follows (I'll just give a couple examples so you'll get the gist)

Connection type: Inbound (WAN(Internet) > LAN (local network))

Action: Always allow

Service: SMB-TCP

Source IP: Single IP

Start: xxx.xxx.xxx.xxx (this is the gateway IP of the distant end at home)

Send to Local Server (DNAT IP): 10.2.10.x (the static IP of the server)

When that wasn't working, I created another set of rules for the internal IPs of the distant end as follows:

Connection type: Inbound (WAN(Internet) > LAN (local network))

Action: Always allow

Service: SMB-TCP

Source IP: Address Range

Start: 192.168.1.1

Finish: 192.168.1.254

Send to Local Server (DNAT IP): 10.2.10.x (the static IP of the server)

I also enabled Remote Management of the RV220W as:

Access Type: Single IP address

IP Address: xxx.xxx.xxx.xxx (gateway IP of the distant end at home)

Port 443

When that didn't work, I created two additional firewall rules for port 443 for the home gateway IP and the internal 192.168.1.x IPs. Still no go.

So this is where I'm stuck. In the FVS318s I did not have to create any firewall rules for the VPN traffic. I started off with no rules for the RV220W because I didn't expect it'd need them and then I began adding the firewall rules in order to troubleshoot. Here's the funny thing. If I drop the FVS318 back into place at the office site, it all works as expected.

So where do I go from here guys? About the only thing I haven't done is burn down the VPN tunnel in the RV220Ws and I haven't done that because I can ping hosts on either end and if I drop the FVS318 back into place it works fine. I'm totally stumped and would sincerely appreciate any assistance anyone could provide. If you need additional configuration information, I can provide that.

Thanks.

rmanthey · ‎04-23-2012

Hello Leif,

Have either of the IP subnets changed from the old router to the new?

Are you using the IP address to map or the DNS or Netbios name?

can you ping the file server thru tunnel? by IP? by DNS name? By Netbois name?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

leif.gregory · ‎04-23-2012

Thanks for answering, I was beginning to worry nobody had any idea how to help.

The IP subnets did not change on either end.

I am using the IP address to map. Critical machines are either static IP or reserved in DHCP and are all in the IP range of the VPN Policy.

I can ping distant end machines in both directions by IP through the tunnel but I can not ping by hostname. I do not have NETBIOS enabled on the VPN policy. I'm using OpenDNS on both sides, so when I try to ping the hostname of the server I get the opendns.com IP back because it couldn't resolve the IP of the hostname during the lookup.

Sorry for the delay in replying. Unfortunately, one end is at home, the other at my wife's business. During the day, I'm at work on the other side of town from both.

rmanthey · ‎04-24-2012

Hello Leif,

It sounds like the windows firewall is blocking fileshare to the remote site. Here is a site that has a good explination and steps to resolve.

her is a the URL:

https://qualysguard.qualys.com/qwebhelp/fo_help/authentication/windows_target_host_win7.htm

hope this helps.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

leif.gregory · ‎04-24-2012

One of the things I checked during troubleshooting this, but no, it doesn't appear to be the host firewall. In my first post I mentioned that if I drop the Netgear FVS318 back into place on the office site, everything works just fine. This is with the RV220W still in place at the home site. So it's got to be a configuration problem in the RV220Ws that I'm missing.