client VPN disconnects samba shares

Christopher R. Hertel crh at ubiqx.mn.org
Sat Mar 15 20:54:54 GMT 2003 

Please do not cross-post to both Samba and Samba-Technical.  These lists are
for different purposes.

Pat Schlehuber wrote:
> 
> I am running Samba 2.2.7a in domain mode .. all is great.
> 
> I have a XP user on my local network that connects to samba as a domain
> user - so far so good.
> 
> This users also has a Cisco VPN client for connecting over the internet
> to another application at a service bureau. When the VPN client is
> activated, all traffic from this machine is only forwarding network
> traffic over the VPN pipe. Obviously, this causes a problem with my Samba
> shares as they are no longer available. When the VPN client is shutdown
> all is well again.

Normal behvior for the Cisco VPN product.  So what's the problem?

> The VPN configuration is provided by the service bureau so I have no
> control over its configuration.

Yep.  Now, if they'd just allow Split Tunneling or let you exclude the local
LAN from the VPN you'd be okay.

> My local network is DHCP controlled using 192.168.0.*/24 and the VPN
> pipe is connected to a public address over the internet connection. I
> am using WINS on the Samba server, put I still cannot ping anything on
> my local network.

The Cisco VPN client acts as a shim.  It sits between your IP stack and the
"real" interface and examines packets.  If Split Tunneling is enabled, then
the VPN client does a limited form of routing.  Packets meant to go over the
VPN tunnel will be encrypted and sent through the tunnel, and others will be
dropped through to the "real" interface.  Split tunneling is
server-controlled.  The other option is to set the "Exclude Local Network"
(or similar) option on the client side.  That will ensure that packets for
the local IP LAN will drop through to the "real" interface.

If you don't have any configuration control, then you cannot do either of
these things and *all* traffic normally out-bound through that interface
will be captured by the shim and redirected to the VPN server via the
tunnel.

> I may be answering my own question, but do I need to get the service
> bureau to supply me with a VPN configuration that places everything over
> the VPN Pipe except for 192.168.0.* addresses?

Unless you can change the client configuration yourself, yes.

> Any thoughts?

This really isn't a Samba-Technical question.

Chris -)-----

-- 
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list