[c-nsp] VPN - MTU Issue

Rodney Dunn rodunn at cisco.com
Tue Apr 11 14:58:58 EDT 2006 

Paul,

The easiest way to do it is on all your tunnel interfaces
configure ip adjust tcp adjust-mss for the tcp traffic.

For UDP you have to set the "ip mtu" down on the tunnel
low enough to allow for all the encapsulation overhead
that will come (gre, ipsec, pppox).

Try "ip mtu 1300" on the tunnel. I think that should be enough.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

You have tcp adjust-mss configured so if you are doing TCP
make sure you set it down low enough too.

Rodney


On Tue, Apr 11, 2006 at 02:12:32PM -0400, Paul Stewart wrote:
> Hi there....
> 
> I don't do many VPN's but we recently setup three VPN's back to a
> central location (hub and spoke).  The hub location and one of the
> spokes works great as they are straight ethernet connectivity via fiber.
> Two of the other locations are PPPOE based DSL service.  I'm trying to
> find out how and what to set the MTU to on these remote sites.... The
> network people are telling me that they want to use windows domain login
> etc. across the VPN link and it's working at one location and not the
> two others even through the tunnels are up and working.... 
> 
> I presume this is MTU related so did some extended ping tests and
> identified 1428 is the maximum packet size without fragmentation.. Is
> this the correct way to size the tunnel?  This is using GRE over IpSec.
> 
> When I try to set the size on the tunnel I get this:
> 
> xxxxxx(config-if)#mtu 1428
> % Interface Tunnel0 does not support adjustable maximum datagram size
> 
> Below is the entire config of one of the spoke sites that doesn't work,
> what do I size where? ;)
> 
> Paul Stewart
> IP Routing/Switching
> Nexicom Inc.
> http://www.nexicom.net/ 
> 
> 
> Current configuration : 4304 bytes
> !
> ! Last configuration change at 14:07:03 EDT Tue Apr 11 2006 by admin
> ! NVRAM config last updated at 13:26:01 EDT Tue Apr 11 2006 by admin
> !
> version 12.3
> no parser cache
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime localtime
> service timestamps log datetime localtime
> service password-encryption
> !
> hostname XXXXXX
> !
> boot-start-marker
> boot system flash
> boot system flash c806-k9osy6-mz.123-18.bin
> boot-end-marker
> !
> no logging rate-limit
> enable secret 5 XXXXXXXXXXXXXXXXXXX
> !
> clock timezone EST -5
> clock summer-time EDT recurring
> no aaa new-model
> ip subnet-zero
> ip domain name nexicom.net
> ip name-server 192.168.2.2
> !
> ip dhcp pool LAN
>    network 192.168.250.0 255.255.255.0
>    default-router 192.168.250.1
>    dns-server 192.168.2.2
>    netbios-name-server 192.168.2.3
> !
> no ip bootp server
> ip cef
> vpdn enable
> !
> vpdn-group 1
>  request-dialin
>   protocol pppoe
> !
> !
> username admin password 7 XXXXXXXXXX
> !
> !
> !
> crypto isakmp policy 10
>  encr aes 256
>  authentication pre-share
> crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
> crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
> crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
> !
> !
> crypto ipsec transform-set ts1 ah-sha-hmac esp-aes 256
> !
> crypto ipsec profile VPN
>  set transform-set ts1
> !
> !
> !
> !
> interface Loopback0
>  no ip address
> !
> interface Tunnel0
>  description XXXXXXXXXXXXXXX
>  ip address 172.16.1.6 255.255.255.252
>  tunnel source Dialer1
>  tunnel destination XXX.XXX.XXX.XXX
>  tunnel protection ipsec profile VPN
> !
> interface Tunnel1
>  description XXXXXXXXXXXXXXX
>  ip address 172.16.1.10 255.255.255.252
>  tunnel source Dialer1
>  tunnel destination XXX.XXX.XXX.XXX
>  tunnel protection ipsec profile VPN
> !
> interface Tunnel2
>  description XXXXXXXXXXXXXXXX
>  ip address 172.16.1.21 255.255.255.252
>  tunnel source Dialer1
>  tunnel destination XXX.XXX.XXX.XXX
>  tunnel protection ipsec profile VPN
> !
> interface Ethernet0
>  description Local Subnet
>  ip address 192.168.250.1 255.255.255.0
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip accounting access-violations
>  ip nat inside
>  ip tcp adjust-mss 1412
>  no cdp enable
>  hold-queue 32 in
>  hold-queue 100 out
> !
> interface Ethernet1
>  description Nexicom Turbo
>  no ip address
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip accounting access-violations
>  ip tcp adjust-mss 1412
>  pppoe enable
>  pppoe-client dial-pool-number 1
>  no cdp enable
> !
> interface Dialer0
>  no ip address
>  no cdp enable
> !
> interface Dialer1
>  ip address negotiated
>  ip mtu 1452
>  ip nat outside
>  encapsulation ppp
>  ip route-cache flow
>  dialer pool 1
>  dialer-group 1
>  no cdp enable
>  ppp authentication pap callin
>  ppp pap sent-username XXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX
>  ppp ipcp dns request
> !
> ip nat inside source list 105 interface Dialer1 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> ip route 10.10.10.0 255.255.255.0 Tunnel1
> ip route 192.168.0.0 255.255.255.0 Tunnel2
> ip route 192.168.2.0 255.255.255.0 Tunnel0
> no ip http server
> no ip http secure-server
> !
> !
> ip access-list extended VPN
>  permit ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
> logging trap debugging
> logging facility local6
> logging source-interface Loopback0
> logging XXX.XXX.XXX.XXX
> access-list 1 permit XXX.XXX.XXX.XXX
> access-list 15 permit XXX.XXX.XXX.XXX log
> access-list 105 deny   ip 192.168.250.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 105 permit ip 192.168.250.0 0.0.0.255 any
> dialer-list 1 protocol ip permit
> no cdp run
> snmp-server community XXXXXXXXX RW 1
> snmp-server enable traps snmp authentication linkdown linkup coldstart
> warmstart
> snmp-server enable traps tty
> snmp-server enable traps pppoe
> !
> line con 0
>  exec-timeout 120 0
>  transport output all
>  stopbits 1
> line vty 0 4
>  access-class 15 in
>  exec-timeout 120 0
>  privilege level 15
>  password 7 XXXXXXXXXXXXXXXX
>  login local
>  transport input ssh
>  transport output all
> !
> scheduler max-task-time 5000
> ntp clock-period 17168633
> ntp peer 18.72.0.3
> ntp peer 192.203.230.10
> ntp peer 129.6.16.36
> ntp peer 192.5.41.209 prefer
> end
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list