K7 Endpoint Security Settings

I’ve been having trouble with a Windows 7 client connecting to a PPTP VPN endpoint on Mac OS X 10.6 (Snow Leopard) Server.  The client authenticates just fine, and can access resources on the LAN, but connections time out when connecting to remote servers.

The simple solution was to configure the VPN client to only tunnel LAN traffic through the VPN, but that undermined one or our reasons for having a VPN: Securing connections from public WiFi hotspots.

For a long time, I assumed the problem had something to do with the routing, but after an hour or two with a packet sniffer hooked to the server, I discovered that TCP sockets to the problematic servers were being established, and, often, significant amounts of traffic were being passed back and forth.  I also noticed that the conversations were interspersed with packet fragmentation errors.

Ah Hah!  Something must be screwy with negotiation of the MTU.  With a little digging, I found some instructions for adjusting the MTU, which I’ll summarize here:

Click the start menu, search for “cmd.exe,” right-click the search result, and choose to run as administrator.  Answer yes to the security warning prompt. Connect to the VPN in question. Run “netsh interface ipv4 show subinterfaces“ Make note of the name of the listed connection name (it should be the same name as the VPN connection entry you used to connect to the network) Run “netsh interface ipv4 set subinterface “[CONNECTION NAME]” mtu=1100” Substituting the name of your connection for [CONNECTION NAME], you can try different values for the MTU, in my case, it defaulted to 1200. Check that the change was made “netsh interface ipv4 show subinterfaces“ Restart your computer.