Triune
20-02-2004, 09:52 PM
For those interested in setting up a VPN (virtual private network) over MyWireless, read on. This is quite technical, and long.
I spent the last couple of days fighting with my VPN software (SecuRemote from CheckPoint). Initially everything went smoothly. I set up the VPN client, created the secure site, authenticated myself and connected to the target machine. However, once the connection was established I started running into problems. I noticed that the modem transmitted and received data for a few seconds, then stopped receiving anything, and then whichever application I was using would time out.
After noticing some "virtual defragmentation errors" in a log file, and doing some research, I discovered that the default TCP maximum transmission unit (MTU) was most likely too large, thereby causing packet fragmentation, which in turn causes problems with the delivery of the encrypted VPN packets back to me.
So the first thing I needed to do was find out what the maximum size was that would not be fragmented. I used ping to get a value that would work, like so:
ping -l 1500 -f -n 10 [secureIPaddress]
This instructs ping to use 1500 bytes, not allow fragmenting and to send 10 packets to the specified IP address over the VPN. On my machine, running Windows XP Home, this failed as it needed to fragment the packet. I kept reducing the packet size until I got stable pings without any loss. I ended up with 1300, which is a lot lower than the size recommended to me for VPN (1430) - rather be conservative.
I then proceeded to change the MTU on each of the network interfaces in my registry to 1300, then rebooted. This still did not work, however. So after spending a lot of time browsing broadband forums, I happened to download a little utilit called DrTCP, which you can download from: http://www.dslreports.com/drtcp
I noticed that all the MTU values were set to the 1300 that I had manually set up, except for a setting listed as Dial Up (RAS) MTU (which I have no idea where to set in the registry). This one still had the default value of 1452 or something like that. I set the values to the following, on each adapter listed, can clicked save.
Window Scaling: Yes
Time stamping: No
Selective Acks: Default
Dial Up (RAS) MTU: 1300
Path MTU Discovery: Default
Black Hole Detection: Default
TTL: 128
After rebooting, voila, my VPN connections started working properly. So, I am pretty sure it was that Dial Up (RAS) MTU setting, but Path MTU Discovery, Black Hole detection and TTL all had different values. The TTL value was messed up, way too high.
Hope this saves someone some time.
Ciao.
.--- . ... ..- ... / .-.. --- ...- . ... / -.-- --- ..-
Ro:10:9 - If you confess with your mouth, "Jesus is Lord", and believe in your heart that God raised Him from the dead, you will be saved.
I spent the last couple of days fighting with my VPN software (SecuRemote from CheckPoint). Initially everything went smoothly. I set up the VPN client, created the secure site, authenticated myself and connected to the target machine. However, once the connection was established I started running into problems. I noticed that the modem transmitted and received data for a few seconds, then stopped receiving anything, and then whichever application I was using would time out.
After noticing some "virtual defragmentation errors" in a log file, and doing some research, I discovered that the default TCP maximum transmission unit (MTU) was most likely too large, thereby causing packet fragmentation, which in turn causes problems with the delivery of the encrypted VPN packets back to me.
So the first thing I needed to do was find out what the maximum size was that would not be fragmented. I used ping to get a value that would work, like so:
ping -l 1500 -f -n 10 [secureIPaddress]
This instructs ping to use 1500 bytes, not allow fragmenting and to send 10 packets to the specified IP address over the VPN. On my machine, running Windows XP Home, this failed as it needed to fragment the packet. I kept reducing the packet size until I got stable pings without any loss. I ended up with 1300, which is a lot lower than the size recommended to me for VPN (1430) - rather be conservative.
I then proceeded to change the MTU on each of the network interfaces in my registry to 1300, then rebooted. This still did not work, however. So after spending a lot of time browsing broadband forums, I happened to download a little utilit called DrTCP, which you can download from: http://www.dslreports.com/drtcp
I noticed that all the MTU values were set to the 1300 that I had manually set up, except for a setting listed as Dial Up (RAS) MTU (which I have no idea where to set in the registry). This one still had the default value of 1452 or something like that. I set the values to the following, on each adapter listed, can clicked save.
Window Scaling: Yes
Time stamping: No
Selective Acks: Default
Dial Up (RAS) MTU: 1300
Path MTU Discovery: Default
Black Hole Detection: Default
TTL: 128
After rebooting, voila, my VPN connections started working properly. So, I am pretty sure it was that Dial Up (RAS) MTU setting, but Path MTU Discovery, Black Hole detection and TTL all had different values. The TTL value was messed up, way too high.
Hope this saves someone some time.
Ciao.
.--- . ... ..- ... / .-.. --- ...- . ... / -.-- --- ..-
Ro:10:9 - If you confess with your mouth, "Jesus is Lord", and believe in your heart that God raised Him from the dead, you will be saved.