[c-nsp] PPTP VPN Through VTI IPSEC Tunnel

Michael Balasko Michael.Balasko at cityofhenderson.com
Tue Aug 29 18:48:01 EDT 2006


I was wondering if anyone here has configured a PPTP VPN through a IPSEC
tunnel? 
The long as short of it is, I am trying to haul PPTP protected traffic
through an IPSEC tunnel. The network layout from the perspective of the
client laptop is as follows. 
Client, Aironet 1230AP,3550 Switch,2811 router with a VTI tunnel to a
7206. The 7206 has an interface connected* to a pix to which a pair of
7140 VPN concentrators sit. 
The client connects to the 7140s and once they do the laptops just hang
at "applying system settings" for about 5 minutes at witch point I'm
assuming it times out and continues the logon to the laptop. 

The fun part is that if I do not use the tunnels and just use a vlan to
haul the traffic, life is peachy and everything works. This reeks of an
MTU/fragmentation issue, but I have tuned the MTU as low as 1K and it
still acts broken.(IP MTU 1040, ip tcp adjust-mss 1000) With the device
connected this way I am still able to ping as large as 1372 so I feel
reasonably confident that  
1K is plenty low. The tunnel is traveling over ethernet.

I have done the full court press using these guides,

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0918
6a00800d6979.shtml

And 

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a
0080093f1f.shtml

And
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a
00800949c5.shtml#tunnelup


I have done so much tweaking that my notes are getting fuzzy, but I
swore that at one time I tweaked the mtu on the end device down(Windows
XP laptop) and it all worked, but I'm beginning to doubt that as well
now. I'm going to retry that experiment.  I hope that I've explained
enough to help as there are a metric load of details I felt out for
brevity. Any pointers would be appreciated. 




Michael



More information about the cisco-nsp mailing list