Windows 2003 domain over VPN MTU issues...

From:	"Joe Lagreca" <lagreca at gmail dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Windows 2003 domain over VPN MTU issues...
Date:	Tue, 3 Apr 2007 15:07:33 -0700

I have a point to point IPSEC VPN between a Sonicwall and a m0n0wall,
and am having problems with workstations that are joined to the domain
over the VPN.

I found this:  force Kerberos to use TCP instead of UDP in Windows
Server 2003  http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

which helps with the login process, but other things are still giving
me problems, like processing the GPO, which still fails.

I have experimented with ping sizes, and the largest ping that can get
through is 1408.  If I do ping -l 1409 192.168.2.2 it will fail.
However, the problem only seems to be in the direction of m0n0wall to
sonicwall.  If I do a large ping the other way around (sonicwall to
m0n0wall), it will get through.

I think this is a MTU issue, but am not sure how to solve it.  I was
hoping that someone else has already run into this, and has a
solution.

Thanks!

Joe