[c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC
Church, Charles
cchurc05 at harris.com
Tue Jan 6 22:55:42 EST 2009
Do you really need the GRE? I'm guessing that is the issue, don't think
the accelerator will handle that.
Chuck
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Kent
Sent: Tuesday, January 06, 2009 9:45 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC
I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2
running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them
back-to-back, configured as shown below.
With a single file transfer (tcp) through the boxes I am able to jam
the processor at 99%/96%, which tells me I must be missing something.
I checked and the "ip tcp adjust-mss 1360" is working, so it is not
fragmentation that is the culprit. I do get about 35Mbs throughput,
but I'm bugged that the main cpu is jammed. I did check "sh cry eng
acc stat" and see that the HW module is being used, but I would have
thought that the actual 2811 cpu would be only modestly busy.
Am I missing anything here?
Thanks,
-mark
---
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 300
!
crypto isakmp key foo address 10.10.10.2 no-xauth
!
crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac
!
crypto map GREVPN local-address FastEthernet0/0
!
ip access-list extended TUNNEL
permit gre host 10.10.10.1 host 10.10.10.2
!
crypto map GREVPN 20 ipsec-isakmp
set peer 10.10.10.2
set transform-set GREVPN
match address TUNNEL
!
interface Tunnel0
ip address 192.0.2.1 255.255.255.252
ip mtu 1476
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination 10.10.10.2
!
interface FastEthernet0/0
description x-conn to other 2811
ip address 10.10.10.1 255.255.255.252
crypto map GREVPN
crypto ipsec fragmentation before-encryption
!
interface FastEthernet0/1
ip address <test1 network, test2 is on other 2811>
!
ip route <test2 network> 192.0.2.2
---
2811-expt-TWO#sh cry engine acc stat
Device: AIM-VPN/SSL-2
Location: AIM Slot: 0
Virtual Private Network (VPN) Module in slot : 0
Statistics for Hardware VPN Module since the last clear
of counters 42 seconds ago
126270 packets in 126270 packets out
127941213 bytes in 124977694 bytes out
3006 paks/sec in 3006 paks/sec out
23865 Kbits/sec in 23312 Kbits/sec out
42555 packets decrypted 83715 packets
encrypted
5854456 bytes before decrypt 119123238 bytes encrypted
2790517 bytes decrypted 125150696 bytes after
encrypt
0 packets decompressed 0 packets
compressed
0 bytes before decomp 0 bytes before
comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass
compres
0 bytes bypass decompres 0 bytes bypass
compressi
0 packets not decompress 0 packets not
compressed
0 bytes not decompressed 0 bytes not
compressed
1.0:1 compression ratio 1.0:1 overall
4 commands out 4 commands
acknowledged
Last 5 minutes:
53276 packets in 53276 packets out
1268 paks/sec in 1268 paks/sec out
10792372 bits/sec in 10542446 bits/sec out
1178581 bytes decrypted 50240550 bytes encrypted
235716 Kbits/sec decrypted 10048110 Kbits/sec
encrypted
1.0:1 compression ratio 1.0:1 overall
Errors:
ppq full errors : 0 ppq rx errors :
0
cmdq full errors : 0 cmdq rx errors :
0
ppq down errors : 0 cmdq down errors :
0
no buffer : 0 replay errors :
0
dest overflow : 0 authentication errors :
0
Other error : 0 Raw Input Underrun :
0
IPSEC Unsupported Option: 0 IPV4 Header Length :
0
ESP Pad Length : 0 IPSEC Decompression :
0
AH ESP seq mismatch : 0 AH Header Length :
0
AH ICV Incorrect : 0 IPCOMP CPI Mismatch :
0
IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio:
0
Unexpected Protocol : 0 Dest Buf overflow :
0
IPSEC Pkt is fragment : 0 IPSEC Pkt src count :
0
Invalid IP Version : 0 Unwrappable :
0
SSL Output overrun : 0 SSL Decompress failure :
0
SSL BAD Decomp History : 0 SSL Version Mismatch :
0
SSL Input overrun : 0 SSL Conn Modulo :
0
SSL Input Underrun : 0 SSL Connection closed :
0
SSL Unrecognised content: 0 SSL record header length:
0
PPTP Duplicate packet : 0 PPTP Exceed max missed p:
0
RNG self test fail : 0 DF Bit set :
0
Hash Miscompare : 0 Unwrappable object :
0
Missing attribute : 0 Invalid attrribute value:
0
Bad Attribute : 0 Verification Fail :
0
Decrypt Failure : 0 Invalid Packet :
0
Invalid Key : 0 Input Overrun :
0
Input Underrun : 0 Output buffer overrun :
0
Bad handle value : 0 Invalid parameter :
0
Bad function code : 0 Out of handles :
0
Access denied : 0 Out of memory :
0
NR overflow : 0 pkts dropped :
0
Warnings:
sessions_expired : 0 packets_fragmented :
0
general: : 0
HSP details:
hsp_operations : 35231 hsp_sessions :
3
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list