[c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC
Mark Kent
mark at noc.mainstreet.net
Tue Jan 6 21:45:04 EST 2009
I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2
running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them
back-to-back, configured as shown below.
With a single file transfer (tcp) through the boxes I am able to jam
the processor at 99%/96%, which tells me I must be missing something.
I checked and the "ip tcp adjust-mss 1360" is working, so it is not
fragmentation that is the culprit. I do get about 35Mbs throughput,
but I'm bugged that the main cpu is jammed. I did check "sh cry eng
acc stat" and see that the HW module is being used, but I would have
thought that the actual 2811 cpu would be only modestly busy.
Am I missing anything here?
Thanks,
-mark
---
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 300
!
crypto isakmp key foo address 10.10.10.2 no-xauth
!
crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac
!
crypto map GREVPN local-address FastEthernet0/0
!
ip access-list extended TUNNEL
permit gre host 10.10.10.1 host 10.10.10.2
!
crypto map GREVPN 20 ipsec-isakmp
set peer 10.10.10.2
set transform-set GREVPN
match address TUNNEL
!
interface Tunnel0
ip address 192.0.2.1 255.255.255.252
ip mtu 1476
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination 10.10.10.2
!
interface FastEthernet0/0
description x-conn to other 2811
ip address 10.10.10.1 255.255.255.252
crypto map GREVPN
crypto ipsec fragmentation before-encryption
!
interface FastEthernet0/1
ip address <test1 network, test2 is on other 2811>
!
ip route <test2 network> 192.0.2.2
---
2811-expt-TWO#sh cry engine acc stat
Device: AIM-VPN/SSL-2
Location: AIM Slot: 0
Virtual Private Network (VPN) Module in slot : 0
Statistics for Hardware VPN Module since the last clear
of counters 42 seconds ago
126270 packets in 126270 packets out
127941213 bytes in 124977694 bytes out
3006 paks/sec in 3006 paks/sec out
23865 Kbits/sec in 23312 Kbits/sec out
42555 packets decrypted 83715 packets encrypted
5854456 bytes before decrypt 119123238 bytes encrypted
2790517 bytes decrypted 125150696 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
4 commands out 4 commands acknowledged
Last 5 minutes:
53276 packets in 53276 packets out
1268 paks/sec in 1268 paks/sec out
10792372 bits/sec in 10542446 bits/sec out
1178581 bytes decrypted 50240550 bytes encrypted
235716 Kbits/sec decrypted 10048110 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
Errors:
ppq full errors : 0 ppq rx errors : 0
cmdq full errors : 0 cmdq rx errors : 0
ppq down errors : 0 cmdq down errors : 0
no buffer : 0 replay errors : 0
dest overflow : 0 authentication errors : 0
Other error : 0 Raw Input Underrun : 0
IPSEC Unsupported Option: 0 IPV4 Header Length : 0
ESP Pad Length : 0 IPSEC Decompression : 0
AH ESP seq mismatch : 0 AH Header Length : 0
AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0
IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0
Unexpected Protocol : 0 Dest Buf overflow : 0
IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0
Invalid IP Version : 0 Unwrappable : 0
SSL Output overrun : 0 SSL Decompress failure : 0
SSL BAD Decomp History : 0 SSL Version Mismatch : 0
SSL Input overrun : 0 SSL Conn Modulo : 0
SSL Input Underrun : 0 SSL Connection closed : 0
SSL Unrecognised content: 0 SSL record header length: 0
PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0
RNG self test fail : 0 DF Bit set : 0
Hash Miscompare : 0 Unwrappable object : 0
Missing attribute : 0 Invalid attrribute value: 0
Bad Attribute : 0 Verification Fail : 0
Decrypt Failure : 0 Invalid Packet : 0
Invalid Key : 0 Input Overrun : 0
Input Underrun : 0 Output buffer overrun : 0
Bad handle value : 0 Invalid parameter : 0
Bad function code : 0 Out of handles : 0
Access denied : 0 Out of memory : 0
NR overflow : 0 pkts dropped : 0
Warnings:
sessions_expired : 0 packets_fragmented : 0
general: : 0
HSP details:
hsp_operations : 35231 hsp_sessions : 3
More information about the cisco-nsp
mailing list