[nsp] MTU problem over VPN

From: warner@cats.ucsc.edu
Date: Fri Jul 12 2002 - 16:04:22 EDT


We are using a pair of Cisco 1710-VPN routers to create
a lan-to-lan VPN tunnel that connects a remote site to
our campus LAN over the Internet. We're actually using
IPSEC with preshared keys. The underlying path is fast
and has very low packet loss, so life is good...

The rough edge on this system is that Path MTU discovery
appears to be more a theory than a widespread reality.
The path MTU over our tunnel is some 40 bytes smaller than
the Ethernet max packet size. Many important sites (for
example mapquest.com) block ICMP-can't-fragment messages.
These sites are unreachable from the remote end of the
tunnel unless they hack MSS in their windows registry.

Is there a way to tell the Cisco routers that it's OK
to fragment the AH-encrypted packets, the DF-flag on the
unencrypted traffic not withstanding? I'd rather not have
to make changes to user desktops. What do other people
that use these routers do?

-jim warner, UC Santa Cruz



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:04 EDT