Hi John, that was not the answer I was expecting ;-) When you use PPTP with EAP/TLS or L2TP/IPSec you need to exchange certificate chains. In most cases this inherently results in IP fragments created at the VPN endpoints. This is a well-known issue. Moreover, the IETF IPSec working group has refused to solve that fundamental IP fragment problem when designing the new IPSec NAT-T. On customer demand, Microsoft has implemented in the new L2TP/IPSec NAT-T stacks an MS-Frag extension. When both endpoints supports the MS-Frag extension, IP fragments will no longer occure because the fragmentation will be done on a much higher level in the protocol stack. From what I heard, Microsoft has designed the MS-Frag extension as an open protocol extension and made it public available on MSDN. However, I can't find it anywhere. For more info about MS-Frag, check out: - http://www.microsoft.com/usa/webcasts/ondemand/2323.asp - http://downloads.mymsevents.com/files/Events/30/3513/SEC406_Riley.ppt Thanks, Stefaan -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: maandag 24 november 2003 7:56 To: [ISAserver.org Discussion List] Subject: [isalist] RE: MS-Frag extension to L2TP/IPSec NAT-T http://www.ISAserver.org The great Stefaan asking a question of us? Wow, I am honored. Problem with forcing no fragmentation is that you do not always get an accurate packet size negotiation. This can be because of black holes, firewalls or routers set to Ignore Do not fragment bit, improper web server configurations which can block the packet size discovery, PPPoE connections and others. I have even seen references to turn off PMTU size discovery. In these cases, you then also need to ensure the computer is set to use smaller size packets from the beginning. FYI, when I or clients have had problems, a MTU size of 1404 in the registry has always solved it. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] > Sent: Sunday, November 23, 2003 7:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] MS-Frag extension to L2TP/IPSec NAT-T > > http://www.ISAserver.org > > Hey guys, > > in numerous excellent webcasts and presentations about IPSec and NAT-T, > Steve Riley talks about a Microsoft extension MS-Frag to prevent IP > fragmentation when certificates are used for machine and/or user > authentication. It is my understanding that the specifications of this > extension was public available. However, I don't seems to find it ;-( > > Can anybody point me in the right direction? > > Thanks, > Stefaan > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')