Windows XP Roadwarrior not working pfSense 2.2

PantsManUK

Right off the bat, I've tried setting up latest IPCop and OpenVPN Access Server with a Windows XP client, and I see the same issues, so I'm certain this isn't a pfSense issue (per se).

We used to run IPCop 1.4 (OpenVPN 2.0.7) to let staff access the network, and it worked just fine for everyone. Following a change to a leased line, I have deployed pfSense 2.2 (OVPN 2.3.6) as the firewall for the improved traffic shaping, and everything is still great for everyone with the exception of the one user that still uses Windows XP (one of the company directors). This one user cannot access Exchange remotely, can't access network shares, and can't post info to one of our "internal" web sites over the OVPN connection (our bug tracker).

Similarly, if I use any of the otherwise working configs on Windows XP (we have spare machines that haven't been upgraded yet), I see exactly the same errors, and using this same users config on any more recent Windows version works just fine for all those things. I'm at a loss as to why this should be the case.

Has anyone seen similar issues/a workaround to fix it? Happy to post configs/tcpdumps, but don't want to clutter this first post (may well second post those).

PantsManUK

server2.conf

dev ovpns2
verb 3
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 46.33.155.243
tls-server
server 172.16.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw0.ggp.local' 1"
lport 1190
management /var/etc/openvpn/server2.sock unix
max-clients 15
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DOMAIN ggp.local"
push "dhcp-option DNS 10.0.0.254"
push "dhcp-option DNS 10.0.0.17"
push "dhcp-option WINS 10.0.0.254"
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server2.crl-verify 
tls-auth /var/etc/openvpn/server2.tls-auth 0
passtos

"XP" config

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 46.33.155.243 1190 udp
lport 0
verify-x509-name "fw0.ggp.local" name
pkcs12 fw0-udp-1190-timm.p12
tls-auth fw0-udp-1190-timm-tls.key 1
ns-cert-type server
passtos

"7" config

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 46.33.155.243 1190 udp
lport 0
verify-x509-name "fw0.ggp.local" name
pkcs12 fw0-udp-1190-murrayc.p12
tls-auth fw0-udp-1190-murrayc-tls.key 1
ns-cert-type server
passtos

PantsManUK

Just to let everyone know, I think I've solved this (with some help from the OpenVPN support forums).

Looks to have been an MTU size problem, fixed by adding:

fragment 1300
mssfix

to the server and client configs. Will know for certain tomorrow morning when I roll it out to the live environment (rather than my test lab).