RaptorMobile VPN problem using ADSL Line

[jpf]

I've a customer that have a remote vpn client : "RaptorMobile 6.5.3" to establish a vpn connection to it's office (running a firewall : "Symantec Enterprise Firewall 6.5&quot.
At the office, he has an internal WebServer behind the firewall with a private ip address.

If he uses a ISDN or analog dial-up connection to the Service Provider, then everything works perfect regarding to the connectivity to this server (http and ftp access).

RmVpnClient -> Dial-Up Connection -> Internet -> Symantec Firewall -> WebServer

If he uses an ADSL Line with a Zyxel ADSL Router or Modem and establish a PPPoE session to the Service Provider then he gets problems with the http and ftp connection to the web server.

RmVpnClient -> ADSL connection -> Internet -> Symantec Firewall -> WebServer

Does anyone have a clue about what might be the problem? If so, let me know.

Thanks,

JPF

 

[mufka]

It is the max MTU setting on the remote pc. The raptor Mobile client sends a datagram via Ethernet to the xDSL router. The frame size is based upon the standard Ethernet MTU size of 1500. PPPOE has a different MTU size. PPPOE has a MTU frame size of 1492. The Raptor mobile client can connect the tunnel with out any difficulty because the SA negotiation falls under the 1492 MTU restriction.

After connected the RM client may be able to ping internal machines and get an echo reply, the ICMP packets also fall under 1492 MTU restrictions. When the RM client sends a request that consists of a larger packet size they get different results. The Raptor Mobile client sends a datagrams via Ethernet to the xDSL router. The frame size is based upon the standard Ethernet MTU size of 1500. When the packet gets to the intermediary device, the router, it attempts to break the packet in two so that it will be able to comply with PPPOE frame restriction of 1492. Raptor mobile by default does not allow its packets to be fragmented. Since Raptor Mobile will not allow packets to be broken into two without special configuration, the packet is never sent beyond the PPPOE device.

From the RM client perspective it looks as though the action is timing out. No packets can be observed on the firewall log since the packets are not making it to the firewall.

There is a current workaround for this problem. In order to pass IPsec traffic over the line when PPPOE is being utilized an additional key will have to be added to the registry.

For Win 98 you would do the following:

1. Go to:
HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\Class\NetTrans
2. Add:
000n (Where "000n" is your TCP/IP protocol. It contains "TCP/IP" assigned to the "DriverDesc" value. "n" can be any number from 0 to 9) MaxMTU="1400"

For WinNT you would do the following:
1. Go to:
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\\Parameters\Tcpip
2. Add: MTU="1400" (DWORD decimal var, Range 68 - . Values larger than the default for the underlying network will result in the transport using the network default MTU)

For Win 2K you would do the following:
1. Go to:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
2. Add: MTU="1400" (DWORD, valid range is from 68 to ).

If the value of 1400 MTU does not pass traffic, try changing the value to 1350.