[c-nsp] VPN - MTU Issue

Paul Stewart pstewart at nexicomgroup.net
Tue Apr 11 14:12:32 EDT 2006 

Hi there....

I don't do many VPN's but we recently setup three VPN's back to a
central location (hub and spoke).  The hub location and one of the
spokes works great as they are straight ethernet connectivity via fiber.
Two of the other locations are PPPOE based DSL service.  I'm trying to
find out how and what to set the MTU to on these remote sites.... The
network people are telling me that they want to use windows domain login
etc. across the VPN link and it's working at one location and not the
two others even through the tunnels are up and working.... 

I presume this is MTU related so did some extended ping tests and
identified 1428 is the maximum packet size without fragmentation.. Is
this the correct way to size the tunnel?  This is using GRE over IpSec.

When I try to set the size on the tunnel I get this:

xxxxxx(config-if)#mtu 1428
% Interface Tunnel0 does not support adjustable maximum datagram size

Below is the entire config of one of the spoke sites that doesn't work,
what do I size where? ;)

Paul Stewart
IP Routing/Switching
Nexicom Inc.
http://www.nexicom.net/ 


Current configuration : 4304 bytes
!
! Last configuration change at 14:07:03 EDT Tue Apr 11 2006 by admin
! NVRAM config last updated at 13:26:01 EDT Tue Apr 11 2006 by admin
!
version 12.3
no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot system flash
boot system flash c806-k9osy6-mz.123-18.bin
boot-end-marker
!
no logging rate-limit
enable secret 5 XXXXXXXXXXXXXXXXXXX
!
clock timezone EST -5
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
ip domain name nexicom.net
ip name-server 192.168.2.2
!
ip dhcp pool LAN
   network 192.168.250.0 255.255.255.0
   default-router 192.168.250.1
   dns-server 192.168.2.2
   netbios-name-server 192.168.2.3
!
no ip bootp server
ip cef
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
username admin password 7 XXXXXXXXXX
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set ts1 ah-sha-hmac esp-aes 256
!
crypto ipsec profile VPN
 set transform-set ts1
!
!
!
!
interface Loopback0
 no ip address
!
interface Tunnel0
 description XXXXXXXXXXXXXXX
 ip address 172.16.1.6 255.255.255.252
 tunnel source Dialer1
 tunnel destination XXX.XXX.XXX.XXX
 tunnel protection ipsec profile VPN
!
interface Tunnel1
 description XXXXXXXXXXXXXXX
 ip address 172.16.1.10 255.255.255.252
 tunnel source Dialer1
 tunnel destination XXX.XXX.XXX.XXX
 tunnel protection ipsec profile VPN
!
interface Tunnel2
 description XXXXXXXXXXXXXXXX
 ip address 172.16.1.21 255.255.255.252
 tunnel source Dialer1
 tunnel destination XXX.XXX.XXX.XXX
 tunnel protection ipsec profile VPN
!
interface Ethernet0
 description Local Subnet
 ip address 192.168.250.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat inside
 ip tcp adjust-mss 1412
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface Ethernet1
 description Nexicom Turbo
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip tcp adjust-mss 1412
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Dialer0
 no ip address
 no cdp enable
!
interface Dialer1
 ip address negotiated
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX
 ppp ipcp dns request
!
ip nat inside source list 105 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 Tunnel1
ip route 192.168.0.0 255.255.255.0 Tunnel2
ip route 192.168.2.0 255.255.255.0 Tunnel0
no ip http server
no ip http secure-server
!
!
ip access-list extended VPN
 permit ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging XXX.XXX.XXX.XXX
access-list 1 permit XXX.XXX.XXX.XXX
access-list 15 permit XXX.XXX.XXX.XXX log
access-list 105 deny   ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 192.168.250.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
snmp-server community XXXXXXXXX RW 1
snmp-server enable traps snmp authentication linkdown linkup coldstart
warmstart
snmp-server enable traps tty
snmp-server enable traps pppoe
!
line con 0
 exec-timeout 120 0
 transport output all
 stopbits 1
line vty 0 4
 access-class 15 in
 exec-timeout 120 0
 privilege level 15
 password 7 XXXXXXXXXXXXXXXX
 login local
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
ntp clock-period 17168633
ntp peer 18.72.0.3
ntp peer 192.203.230.10
ntp peer 129.6.16.36
ntp peer 192.5.41.209 prefer
end

More information about the cisco-nsp mailing list