Re: [nsp] MTU problem over VPN

From: Stephen Gill (gillsr@yahoo.com)
Date: Fri Jul 12 2002 - 16:32:52 EDT


Welcome to the sad world of ICMP filtering ;(.

It is called DF BIT Override:
#crypto ipsec df-bit [clear | set | copy]

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

-- steve

--- warner@cats.ucsc.edu wrote:
> We are using a pair of Cisco 1710-VPN routers to create
> a lan-to-lan VPN tunnel that connects a remote site to
> our campus LAN over the Internet. We're actually using
> IPSEC with preshared keys. The underlying path is fast
> and has very low packet loss, so life is good...
>
> The rough edge on this system is that Path MTU discovery
> appears to be more a theory than a widespread reality.
> The path MTU over our tunnel is some 40 bytes smaller than
> the Ethernet max packet size. Many important sites (for
> example mapquest.com) block ICMP-can't-fragment messages.
> These sites are unreachable from the remote end of the
> tunnel unless they hack MSS in their windows registry.
>
> Is there a way to tell the Cisco routers that it's OK
> to fragment the AH-encrypted packets, the DF-flag on the
> unencrypted traffic not withstanding? I'd rather not have
> to make changes to user desktops. What do other people
> that use these routers do?
>
> -jim warner, UC Santa Cruz
>

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:49 EDT