[c-nsp] Ping-test accross a IPSec VPN

Jim Nelson jimn at natr.com
Thu Sep 1 10:19:40 EDT 2005 

Scenario: There are two routers that share a VPN across an inter-city 
VLAN. The routers will ping across the VLAN link without dropping any 
packets, no matter the size of the payload. However, they will drop a 
few packets, which have 1300 byte payload, across the GRE tunnel 
interfaces (3-4 out of one hundred). The crypto map encrypts all GRE 
packets.

+++++++
Router1 (3745 with a  AIM-VPN/HPII-PLUS)

crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key <secret> address 10.192.1.18
!
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp
 set peer 10.192.1.18
 set transform-set strong
 match address VPN10
!
interface Tunnel10
 ip address 10.192.1.21 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 10.192.1.17
 tunnel destination 10.192.1.18
 crypto map vpn
!
interface FastEthernet2/0
 description City VLAN to spkcr02
 ip address 10.192.1.17 255.255.255.252
 ip access-group CVLAN-IN in
 duplex auto
 speed auto
 crypto map vpn
!
ip access-list extended VPN10
 permit gre host 10.192.1.17 host 10.192.1.18

Router2 (3660 with a Virtual Private Network (VPN) Module - an older 
AIM/HP card)

crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key <secret> address 10.192.1.17
!
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp
 set peer 10.192.1.17
 set transform-set strong
 match address VPN10
!
interface Tunnel10
 description City VLAN
 ip address 10.192.1.22 255.255.255.252
 ip mtu 1400
 tunnel source 10.192.1.18
 tunnel destination 10.192.1.17
 crypto map vpn
!
interface FastEthernet0/1
 description City VLAN to precr01 fas 2/0
 ip address 10.192.1.18 255.255.255.252
 ip access-group CVLAN-IN in
 duplex auto
 speed auto
 crypto map vpn
!
ip access-list extended VPN10
 permit gre host 10.192.1.18 host 10.192.1.17
+++++++

The inter-city VLAN is a 10Mbps link. Router1 is running IOS 12.3(15a), 
and Router2, 12.2(27). Any ideas?

More information about the cisco-nsp mailing list