Re: [nsp] MTU problem over VPN

From: Steve Francis (sfrancis@expertcity.com)
Date: Fri Jul 12 2002 - 16:30:06 EDT


can do it with Policy routing, per
http://www.cisco.com/warp/public/105/56.html#subsecondone

warner@cats.ucsc.edu wrote:

>We are using a pair of Cisco 1710-VPN routers to create
>a lan-to-lan VPN tunnel that connects a remote site to
>our campus LAN over the Internet. We're actually using
>IPSEC with preshared keys. The underlying path is fast
>and has very low packet loss, so life is good...
>
>The rough edge on this system is that Path MTU discovery
>appears to be more a theory than a widespread reality.
>The path MTU over our tunnel is some 40 bytes smaller than
>the Ethernet max packet size. Many important sites (for
>example mapquest.com) block ICMP-can't-fragment messages.
>These sites are unreachable from the remote end of the
>tunnel unless they hack MSS in their windows registry.
>
>Is there a way to tell the Cisco routers that it's OK
>to fragment the AH-encrypted packets, the DF-flag on the
>unencrypted traffic not withstanding? I'd rather not have
>to make changes to user desktops. What do other people
>that use these routers do?
>
>-jim warner, UC Santa Cruz
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:04 EDT