Interesting... did you find the checksum problem through packet sniffing on
I just received a mail from the MPD-list that confirms that 2003/XP uses
fixed a MTU of 1400 for VPN-connections:
"Microsoft Windows Server 2003, Microsoft Windows 2000, and Microsoft
Windows XP use a fixed MTU size of 1500 bytes for all PPP connections and
use a fixed MTU size of 1400 bytes for all VPN connections. This is the
default setting for PPP clients, for VPN clients, for PPP servers, or for
VPN servers that are running Routing and Remote Access."
(More on this link: support.microsoft.com/default.aspx?scid=kb;en-us;826159)
It seems to me that the easiest way is to "fix" MPD - even if it's not
Getting MS to fix anything is probably not easy at all.
Anyway, Michael Bretterklieber who is also an admin on the MPD project has
responded positively to my latter posts.
I will send him IPFILTER/Ethereal logs from m0n0wall/PPTP-client ASAP and he
will test the NdisWan MTU-setting on XP today himself and get back to me.
So there might be light at the end of the tunnel ;o)
From: Manuel Kasper [mailto:mk at neon1 dot net]
Sent: 1. april 2004 12:03
To: Martin Holst
Subject: RE: [m0n0wall] Re: Beta version 1.1b1 available
On 01.04.2004 11:54 +0200 Martin Holst wrote:
> 2: On his WinXP the "ProtocolMTU" is not set by default - that
> might mean that my theory is wrong and XP actually DOES use PMTUD
> on the NdisWAN-interface (and simply does it wrong).
FYI - it appears that ipnat renders the ICMP need frag messages that
m0n0wall sends out (and which PMTUD uses) invalid (checksum error),
so that might explain why PMTUD seems to work if you access e.g.
hosts on LAN (no NAT) via the PPTP tunnel, while you cannot access
WAN via PPTP. In any case, we'd better not rely on PMTUD, as many
Internet hosts block ICMP messages, in which case it would fail
anyway. It's better to get the MSS right in the first place - now how
do we convince XP to use the proper one without having to do any