[ previous ] [ next ] [ threads ]
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  "Joe Lagreca" <lagreca at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Windows 2003 domain over VPN MTU issues...
 Date:  Tue, 3 Apr 2007 23:28:36 +0100

If you have one of the later 1.2x versions there is an option in the 
Advanced System Config to allow fragmented packets from IPSEC connections. 
This will apply to inbound connections from the SonicWall.

You also need to ensure that any outbound rules have the tickbox to allow 
fragmented packets too. This will apply to outbound connection from the 
m0n0wall to the SonicWall.


----- Original Message ----- 
From: "Joe Lagreca" <lagreca at gmail dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, April 03, 2007 11:07 PM
Subject: [m0n0wall] Windows 2003 domain over VPN MTU issues...

>I have a point to point IPSEC VPN between a Sonicwall and a m0n0wall,
> and am having problems with workstations that are joined to the domain
> over the VPN.
> I found this:  force Kerberos to use TCP instead of UDP in Windows
> Server 2003 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
> which helps with the login process, but other things are still giving
> me problems, like processing the GPO, which still fails.
> I have experimented with ping sizes, and the largest ping that can get
> through is 1408.  If I do ping -l 1409 it will fail.
> However, the problem only seems to be in the direction of m0n0wall to
> sonicwall.  If I do a large ping the other way around (sonicwall to
> m0n0wall), it will get through.
> I think this is a MTU issue, but am not sure how to solve it.  I was
> hoping that someone else has already run into this, and has a
> solution.
> Thanks!
> Joe
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch