Support /
Knowledge Base

Compatibility Issues

NAT Traversal Problems on Windows XP SP2

This problem is caused by Windows, because it uses a MTU of 1500 (as recommended for ethernet). But the IPSec protocol adds an overhead of 56 bits which is not taken into account.

This can be worked around by lowering the MTU below 1444 (1440 will work fine) on the network interface that is used for the VPN tunnel. Information about changing the MTU can be found here: http://www.winguides.com/registry/display.php/280/. Another solution is to enable Path MTU Discovery:

 

System Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Value Name: EnablePMTUDiscovery
Data Type: REG_DWORD (DWORD Value)
Value Data: 0x00000001

 

Large File Transfer Problems Due to Large MTU

This is a known issue for:

  • Native Windows XP SP2 IPSec implementation
  • Other Windows XP SP2 VPN clients that use the native IPSec implementation

 

We have seen that a Windows XP roadwarrior configured using the native IPSec implementation and configured using the MMC, has problems while transferring large files over the VPN tunnel. The tunnel is established, ping works correctly, but large file transfer fails.

A solution is to Change the default behavior of IPsec NAT traversal (NAT-T) in Windows XP SP2:

 

System Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
Value Name: AssumeUDPEncapsulationContextOnSendRule
Data Type: REG_DWORD (DWORD Value)
Value Data: 0, 1, or 2

 

You must choose a proper number for Value Data based on the following considerations:

  • 0 (default in SP2) – A value of 0 (zero) configures Windows XP SP2 so that it cannot initiate IPsec-secured communications with responders that are located behind network address translators
  • 1 – A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications with responders that are located behind network address translators
  • 2 (default on SP1 and older) – A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications when both the initiators and the responders are behind network address translators

 

Using a value of 2 is recommended when in doubt. Use this even when you know for sure that only the client is NAT-ed (not sure if the server is NAT-ed or not), since this is the default in SP1 and before.

VPN connections using DH group 1

This is a known issue for:

  • Zyxel’s Zywall default DH group configuration
  • Shrewsoft VPN Client default DH group configuration

 

Because Syneto no longer supports DH group 1, to successfuly make a configuration you will need to change the Zywall’s configuration to use DH group 2 or DH group 5.
In order to do this, you’ll need to use the VPN->Advanced Zywall configuration, and select DH-2 on both phase 1 and phase 2 of the IPSec configuration setup.