Link to home
Create AccountLog in
Avatar of NVHprojects

asked on

Group Policy via Router to Router VPN

Hi there,

We have a remote site with no servers, only client pcs, connected to our head office via a Draytek to Draytek Lan to Lan IPSec connection

The clients at site are Windows XP, and the DHCP addresses are given out by the Draytek router on-site, with the DNS servers set to Active Directory DNS servers at head office.

Unfortunately, Group policies don't seem to be applying properly. Specifically the GPO that adds exceptions to the Windows Firewall.  I also tried implementing a policy which disabled the Windows firewall service completely but nothing appeared to kick in, no matter how many Gpupdates and reboots I did on the client machines.

Any clues as to why this won't work?  I read that Kerberos sometimes causes malformed packets over VPN, could this be something to do with it?
Avatar of trinak96

Although I havent used Draytek routers before, there are a couple of things that you should be looking into.
1) MTU size, I usually set to 1420 on VPN's
2) Confirm "IP unreachables" is enabled. Is used by Windows to determine max size of data segment within the ip packet.
It maybe equipment specific but the above should be set correctly for the traffic to traverse the vpn correctly.
Maybe something to with servers/pc's also, but your vpn should be confirmed as good first of all.

Avatar of NVHprojects


Thanks for your response trinak, MTU is currently 1442 (according to the ppp_ms query via telnet on the router), should this definitely be lowered?  

Also, would you mind enlightening me a bit on the mechanics of why IP unreachables would help me? Had a bitof a read about it and I couldn't work out how it would be relevant.

thanks :)
Personally I would drop mtu a bit.
IP Unreachables is used by various applications in determining packet sizes during transmission.
It wont hurt to enable it if its currently disabled.
Avatar of kevdines
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Also, having tinkered with the MTU on various Draytek routers (2600, 2800, 2900, 2950, 3100 and various ISPs (Opal/Altohiway, EasyNet, Zen, BeThere, Nildram, BT) the default of 1442 generally seems to be the best option - just be sure that they are all set to the same value. I can't think of a Draytek that lets you set this via the web interface, so you need to do it via telnet:

To check the current setting:
wan ppp_mss ?

To set a new value:
wan ppp_mss [value]

Rather cryptically, setting the ppp_mss value actually sets the MTU value (not the MSS value). The router will automatically set the MSS value to 40 byte below the ppp_mss value:

I'm pretty sure that the router does not require a reboot after this, although I wouldn't quote me on it :)
Thanks for that, seems sorted!