samba - Mar 2006 - Windows XP client over IPSEC VPN -- No browsing, limited file access.

Hello all,

I have a problem with browsing and share access over an IPSEC VPN. Details 
follow.

The network has the following configuration: There are two local networks, 
172.16.57.0/24 and 172.16.59.0/24. The networks are connected over the 
internet by Cisco routers providing an IPSEC VPN. The VPNs are configured to 
route all traffic (all IP types, all ports, except broadcast and ICMP 
redirects) destined for the other network over the VPN. IP connectivity seems 
great.

There is a samba server (CAESAR) located on the 57.0 subnet. It is configured 
with the following relevant directives:
wins server = yes
dns proxy = no
name resolve order = wins lmhosts bcast host
domain master = yes
local master = yes
preferred master = yes
os level = 70
workgroup = WORKGROUP
It runs Linux 2.6.8 and Samba 3.0.14a-3sarge, from Debian Sarge.

There are some other Windows machines of various vintages also located on the 
57.0 subnet. They can browse to and access shares on CAESAR with no problem.

There is a Windows XP machine (LAPTOP) located on the 58.0 subnet. At this 
time, it is the only SMB client on that subnet. That machine is configured 
with CAESAR as a WINS server. I have two distinct problems with LAPTOP:
1) Network browsing doesn't work. Navigating to "Entire Network" /
"Microsoft
Windows Network" / "WORKGROUP", I see only HP. No error, but no
other hosts
either.
2) Accessing file shares on CAESAR (by typing "\\CAESAR" in the
location bar)
only works with very small directories and files. A folder with only a few 
files in it, or a file of only a few bytes, works fine. Browsing to large 
folders (which can actually mean as few as 30 files), Windows Explorer 
pauses, with an hourglass or flashlight, and eventually presents the message 
(for the share "extra"):
"\\caesar\extra is not accessible. You might not have permission to use
this
network resource. Contact the administrator of this server to find out if you 
have access permissions.

The specified network name is no longer available."

I have disabled the XP Webclient and the Task Scheduler, to no effect. I'm
at
a loss for what else to try, however.

CAESAR's full config file is available upon request.

Cheers,

--Ian

vectro@vectro.org wrote:
> I have a problem with browsing and share access over an IPSEC VPN. Details 
> follow.
[...]
> 2) Accessing file shares on CAESAR (by typing "\\CAESAR" in the
location bar)
> only works with very small directories and files. 
Sounds as if Path MTU discovery is not working for you, so large packets 
don't pass your VPN. You might want to have a look with Ethereal and 
check your VPN configuration and packet filters.


-TL