Windows XP Roadwarrior not working pfSense 2.2
-
Right off the bat, I've tried setting up latest IPCop and OpenVPN Access Server with a Windows XP client, and I see the same issues, so I'm certain this isn't a pfSense issue (per se).
We used to run IPCop 1.4 (OpenVPN 2.0.7) to let staff access the network, and it worked just fine for everyone. Following a change to a leased line, I have deployed pfSense 2.2 (OVPN 2.3.6) as the firewall for the improved traffic shaping, and everything is still great for everyone with the exception of the one user that still uses Windows XP (one of the company directors). This one user cannot access Exchange remotely, can't access network shares, and can't post info to one of our "internal" web sites over the OVPN connection (our bug tracker).
Similarly, if I use any of the otherwise working configs on Windows XP (we have spare machines that haven't been upgraded yet), I see exactly the same errors, and using this same users config on any more recent Windows version works just fine for all those things. I'm at a loss as to why this should be the case.
Has anyone seen similar issues/a workaround to fix it? Happy to post configs/tcpdumps, but don't want to clutter this first post (may well second post those).
-
server2.conf
dev ovpns2 verb 3 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 46.33.155.243 tls-server server 172.16.1.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw0.ggp.local' 1" lport 1190 management /var/etc/openvpn/server2.sock unix max-clients 15 push "route 10.0.0.0 255.255.255.0" push "dhcp-option DOMAIN ggp.local" push "dhcp-option DNS 10.0.0.254" push "dhcp-option DNS 10.0.0.17" push "dhcp-option WINS 10.0.0.254" ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 crl-verify /var/etc/openvpn/server2.crl-verify tls-auth /var/etc/openvpn/server2.tls-auth 0 passtos
"XP" config
dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote 46.33.155.243 1190 udp lport 0 verify-x509-name "fw0.ggp.local" name pkcs12 fw0-udp-1190-timm.p12 tls-auth fw0-udp-1190-timm-tls.key 1 ns-cert-type server passtos
"7" config
dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote 46.33.155.243 1190 udp lport 0 verify-x509-name "fw0.ggp.local" name pkcs12 fw0-udp-1190-murrayc.p12 tls-auth fw0-udp-1190-murrayc-tls.key 1 ns-cert-type server passtos
-
Just to let everyone know, I think I've solved this (with some help from the OpenVPN support forums).
Looks to have been an MTU size problem, fixed by adding:
fragment 1300 mssfix
to the server and client configs. Will know for certain tomorrow morning when I roll it out to the live environment (rather than my test lab).