[ previous ] [ next ] [ threads ]
 
 From:  Mat Murdock <mmurdock underscore lists at kimballequipment dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ping Size Windows GPO
 Date:  Sun, 03 Jul 2005 22:17:16 -0600
Chris Buechler wrote:

>On 7/2/05, Tommaso Di Donato <tommaso dot didonato at gmail dot com> wrote:
>  
>
>>Are you sure that this is _not_ the right way to be?? Have you tried to use
>>"Active directory Site and Link" and set up the properties of the other
>>side? I never tried, nut I am quite sure that between different sites MS
>>does not sent a so big ping....
>>
>>    
>>
>
>AD sites are only for DC replication purposes, and to help users find
>the closest DC.  Since I presume there is no DC on the other end of
>this connection, that won't help.
>
>Path MTU Discovery (PMTUD) and passing fragmented packets are two
>different things.  Since racoon seems to not do PMTUD properly,
>reducing the MTU fixes problems with packets that are oversized.  ICMP
>doesn't have the DF (don't frag) bit set by default, so even if PMTUD
>did work properly, it wouldn't matter.  In contrast, TCP and UDP
>packets originating from a host with PMTUD enabled (basically
>everything by default) will have the DF bit set and seem to just be
>dropped if they're too big to traverse the VPN.  Hence reducing MTU
>works for TCP and UDP.
>
>The ICMP is getting fragmented, so reducing the MTU might help because
>the first frag might be 1500 bytes, and then too big to go across the
>VPN once you add IPsec.  But my XP box sends 2000 byte pings as a 1314
>and 762 byte packets, both to the LAN (which respond), across a Cisco
>client VPN connection (which respond), and to destinations across a
>m0n0wall site to site VPN (which don't respond).  So if your system is
>doing the same, reducing the MTU will have no effect.
>
>Basically fragmented packets don't make it for some reason, and it
>doesn't appear to be firewall-rule related (nothing in the logs
>getting dropped, it shows it passed, and I'm logging everything passed
>or dropped, and permitting frags).
>
>I'm going to chalk this up to a racoon limitation, unless somebody
>knows better.  The solution would be to disable slow link detection,
>as described later in the thread the original poster quoted.  Not a
>great solution, but it'll work.
>
>http://lists.virus.org/ntbugtraq-0310/msg00008.html
>
>-Chris
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>
It's a awful solution to fix the problem because you have to edit the 
registry for the local machine but also the current user registry.  So 
if you have more then one user on a machine you have to edit part of the 
registry for each user.

Mat