Using Novell's VPN with PPPoE DSL Connections - May 15, 2004

May 15, 2004 - Change to previous information on this tip - Novell is not planning on building PPPoE support into NetWare at any point. The demand is not sufficient to justify the engineering expense, particularly when you can buy a small PPPoE-capable router and install it in front of BorderManager in bridging mode.

DSL connections are becoming more and more commonplace. Unfortunately, many of them are using a technology known as PPPoE (Point-to-Point Protocol over Ethernet), and Novell's VPN is said to be incompatible with PPPoE.

However, there are two methods whereby you may be able to get at least Client-Site VPN working with PPPoE. I have not tested this myself, so I do not know if these methods work in all cases, or if there is some limitation in that the PPPoE connection must only be on the client side of the connection.

Method 1: Add a PPPoE support program to the client side, for Windows 2000, Windows 98 or WindowsME.

There is a program available at the following link which adds additional support for PPPoE on the client side. See this URL:

http://user.cs.tu-berlin.de/~normanb/

Method 2: Adjust MTU size downward on the client.

This tip just in from a Novell Public Forums user:

Newsgroups: Novell.support.internet.BorderManager.vpn-services
Subject: ADSL PPPoE BorderManager Client software -> It works...finally!!!
Date: Mon, 19 Feb 2001 15:26:22 GMT

Even without having tried the RASPPPOE protocol (http://user.cs.tu-berlin.de/~normanb/) we succeeded to have the VPN client working with PPPoE (Enternet installation).

As it took several days to figure out but it might be of some very valuable interest for other persons having the same kind of problems (perhaps the 50% having to use PPPOE for ADSL like connections). I think that the solution might be at some extend similar for other configs using ADSL, PPPoE and Bordermanager Client to site VPN.

Configuration:
Client Machine:
- Win 95 machines using Alcatel speedtouch external modem and Enternet "dialer" using PPPoE and Bordermanager Client Lan VPN.

Server Site: -Bordermager version 3.5 and 3.6 on NW 4.11 and 5.1

Small description of Issue:
Connection to BM server via client works OK. Small IP packets are transfered correctly between Private LAN and Internet-connected client. However when doing an FTP Put of a larger file the communication hangs (doesn't happen with an FTP GET).

Lanalyzer shows that Upstream communication only happens with very small packet sizes (IP fragmentation).

Solution or workaround:
Control panel->Network-> Network TeleSystems P.P.P.o.E, Properties, Advanced -> MaxFrameSize change it to 1354. We've tested several frame sizes and up to 1382 VPN still works in this situation.

It appears that there is somewhere an issue with the VPN software and/or the adaptor having to calculate the frame size that can be used.

Perhaps something interesting to put on the Novell knowledge database as the amount of PPPoE document related issues is......

Interesting document helping to troubleshoot MTU issues is www.dslreports.com/tweaks/MTU.

krg,
Jean-Luc"

If you find that either of these tips helps, or can provide additional feedback, positive or negative, on getting PPPoE to work with BorderManager VPN, please post something in the Novell Public Forums, BorderManager InstallSetup or VPN newsgroups..

Some more user feedback in the forums, from Mar 10, 2001:

I went to www.craigjconsulting.com and checked out the tips there on how to get the VPN working with PPPoE. I changed my MTU size to 1354 like it suggested, that did not fix the problem, and then I went to www.dslreports.com/tweak and followed the suggestions there for tweaking my DSL connection. One of the problems was my RWIN size was 8192B and should have been 16KB instead.

And another nice summary of steps one user took to get a VPN connection over his PPPoE link:

"After much stuffing around with the 3.5 VPN client I've managed to get it working with W2k. This is my understanding, and results:

Scenario: BM 3.5, latest export VPN client, W2kPro, running on Telstra ADSL (Australia) using the Enternet PPPoE implementation.

After all was installed (in every order imaginable)the VPN client would fail connection with the following error: "vptunnel driver returned an error"

Incidently the VPN client on W2k with a normal dial-up adapter to an ISP runs and logs into the VPN correctly so I know the VPN server works.

Solution:
There seems to be a MTU size mismatch of some description with the PPPoE and BM VPN.

The default MTU on Enternet PPPoE is 1454. Decreasing this value down did not fix the problem. I've since discovered that in the INETCFG console log, the following "VPTUNNEL is decreasing MTU to 1350 bytes becuase of buffer size limitations"

The BM troubleshooting section in the VPN docs states the following:

"For site-to-site VPN connections, the Maximum Transmission Unit (MTU) size is automatically set to 1350. For client-to-site connections, the MTU size is set to 1374 to accommodate the overhead incurred by the IPSEC and SKIP headers."

Knowing this I tried the following:
Ditched the PPPoE from Enternet, the one supplied by my ADSL provider and in stalled the RASPPPoE version from http://user.cs.tu-berlin.de/~normanb/.

This has the ability to change the max mtu for the PPP over Ethernet protocol as well. I have changed this to 1200 and had the VPN login successfully with W2k. I assume this will work with anything upto 1350.

phew...
Paul Jones
CNE, MSCE"



Return to the Main Page