[c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC
ChrisSerafin
chris at chrisserafin.com
Tue Jan 6 23:06:29 EST 2009
Unless you need this for legacy IPX or some layer 2 stuff going across
the VPN, why not use the 'good ole, plain ole' IPSEC VPN?
Chris Serafin
chris at chrisserafin.com
Church, Charles wrote:
> Do you really need the GRE? I'm guessing that is the issue, don't think
> the accelerator will handle that.
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Kent
> Sent: Tuesday, January 06, 2009 9:45 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC
>
>
> I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2
> running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them
> back-to-back, configured as shown below.
>
> With a single file transfer (tcp) through the boxes I am able to jam
> the processor at 99%/96%, which tells me I must be missing something.
>
> I checked and the "ip tcp adjust-mss 1360" is working, so it is not
> fragmentation that is the culprit. I do get about 35Mbs throughput,
> but I'm bugged that the main cpu is jammed. I did check "sh cry eng
> acc stat" and see that the HW module is being used, but I would have
> thought that the actual 2811 cpu would be only modestly busy.
>
> Am I missing anything here?
>
> Thanks,
> -mark
>
> ---
>
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 5
> lifetime 300
> !
> crypto isakmp key foo address 10.10.10.2 no-xauth
> !
> crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac
> !
> crypto map GREVPN local-address FastEthernet0/0
> !
> ip access-list extended TUNNEL
> permit gre host 10.10.10.1 host 10.10.10.2
> !
> crypto map GREVPN 20 ipsec-isakmp
> set peer 10.10.10.2
> set transform-set GREVPN
> match address TUNNEL
> !
> interface Tunnel0
> ip address 192.0.2.1 255.255.255.252
> ip mtu 1476
> ip tcp adjust-mss 1360
> tunnel source FastEthernet0/0
> tunnel destination 10.10.10.2
> !
> interface FastEthernet0/0
> description x-conn to other 2811
> ip address 10.10.10.1 255.255.255.252
> crypto map GREVPN
> crypto ipsec fragmentation before-encryption
> !
> interface FastEthernet0/1
> ip address <test1 network, test2 is on other 2811>
> !
> ip route <test2 network> 192.0.2.2
>
> ---
>
> 2811-expt-TWO#sh cry engine acc stat
>
> Device: AIM-VPN/SSL-2
> Location: AIM Slot: 0
> Virtual Private Network (VPN) Module in slot : 0
> Statistics for Hardware VPN Module since the last clear
> of counters 42 seconds ago
> 126270 packets in 126270 packets out
>
> 127941213 bytes in 124977694 bytes out
>
> 3006 paks/sec in 3006 paks/sec out
>
> 23865 Kbits/sec in 23312 Kbits/sec out
>
> 42555 packets decrypted 83715 packets
> encrypted
> 5854456 bytes before decrypt 119123238 bytes encrypted
>
> 2790517 bytes decrypted 125150696 bytes after
> encrypt
> 0 packets decompressed 0 packets
> compressed
> 0 bytes before decomp 0 bytes before
> comp
> 0 bytes after decomp 0 bytes after comp
>
> 0 packets bypass decompr 0 packets bypass
> compres
> 0 bytes bypass decompres 0 bytes bypass
> compressi
> 0 packets not decompress 0 packets not
> compressed
> 0 bytes not decompressed 0 bytes not
> compressed
> 1.0:1 compression ratio 1.0:1 overall
> 4 commands out 4 commands
> acknowledged
> Last 5 minutes:
> 53276 packets in 53276 packets out
>
> 1268 paks/sec in 1268 paks/sec out
>
> 10792372 bits/sec in 10542446 bits/sec out
>
> 1178581 bytes decrypted 50240550 bytes encrypted
>
> 235716 Kbits/sec decrypted 10048110 Kbits/sec
> encrypted
> 1.0:1 compression ratio 1.0:1 overall
>
> Errors:
> ppq full errors : 0 ppq rx errors :
> 0
> cmdq full errors : 0 cmdq rx errors :
> 0
> ppq down errors : 0 cmdq down errors :
> 0
> no buffer : 0 replay errors :
> 0
> dest overflow : 0 authentication errors :
> 0
> Other error : 0 Raw Input Underrun :
> 0
> IPSEC Unsupported Option: 0 IPV4 Header Length :
> 0
> ESP Pad Length : 0 IPSEC Decompression :
> 0
> AH ESP seq mismatch : 0 AH Header Length :
> 0
> AH ICV Incorrect : 0 IPCOMP CPI Mismatch :
> 0
> IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio:
> 0
> Unexpected Protocol : 0 Dest Buf overflow :
> 0
> IPSEC Pkt is fragment : 0 IPSEC Pkt src count :
> 0
> Invalid IP Version : 0 Unwrappable :
> 0
> SSL Output overrun : 0 SSL Decompress failure :
> 0
> SSL BAD Decomp History : 0 SSL Version Mismatch :
> 0
> SSL Input overrun : 0 SSL Conn Modulo :
> 0
> SSL Input Underrun : 0 SSL Connection closed :
> 0
> SSL Unrecognised content: 0 SSL record header length:
> 0
> PPTP Duplicate packet : 0 PPTP Exceed max missed p:
> 0
> RNG self test fail : 0 DF Bit set :
> 0
> Hash Miscompare : 0 Unwrappable object :
> 0
> Missing attribute : 0 Invalid attrribute value:
> 0
> Bad Attribute : 0 Verification Fail :
> 0
> Decrypt Failure : 0 Invalid Packet :
> 0
> Invalid Key : 0 Input Overrun :
> 0
> Input Underrun : 0 Output buffer overrun :
> 0
> Bad handle value : 0 Invalid parameter :
> 0
> Bad function code : 0 Out of handles :
> 0
> Access denied : 0 Out of memory :
> 0
> NR overflow : 0 pkts dropped :
> 0
>
> Warnings:
> sessions_expired : 0 packets_fragmented :
> 0
> general: : 0
>
> HSP details:
> hsp_operations : 35231 hsp_sessions :
> 3
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.176 / Virus Database: 270.10.3/1878 - Release Date: 1/6/2009 7:56 AM
>
>
More information about the cisco-nsp
mailing list