[c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC
Jens S Andersen
jsa at aua.auc.dk
Wed Jan 7 02:22:38 EST 2009
Hi
Do a
show ip traffic
If Frags: keeps incrementing try to reduce ip mtu and mss size.
Fragmented packets are reassembled by the cpu and then handed over to the
AIM for decryption.
I configure my gre/ipsec with ip mtu 1418 and adjust-mss 1300
-Jens
>I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2
>running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them
>back-to-back, configured as shown below.
>With a single file transfer (tcp) through the boxes I am able to jam
>the processor at 99%/96%, which tells me I must be missing something.
>I checked and the "ip tcp adjust-mss 1360" is working, so it is not
>fragmentation that is the culprit. I do get about 35Mbs throughput,
>but I'm bugged that the main cpu is jammed. I did check "sh cry eng
>acc stat" and see that the HW module is being used, but I would have
>thought that the actual 2811 cpu would be only modestly busy.
>Am I missing anything here?
>Thanks,
>-mark
>---
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 5
> lifetime 300
> !
> crypto isakmp key foo address 10.10.10.2 no-xauth
> !
> crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac
> !
> crypto map GREVPN local-address FastEthernet0/0
> !
> ip access-list extended TUNNEL
> permit gre host 10.10.10.1 host 10.10.10.2
> !
> crypto map GREVPN 20 ipsec-isakmp
> set peer 10.10.10.2
> set transform-set GREVPN
> match address TUNNEL
> !
> interface Tunnel0
> ip address 192.0.2.1 255.255.255.252
> ip mtu 1476
> ip tcp adjust-mss 1360
> tunnel source FastEthernet0/0
> tunnel destination 10.10.10.2
> !
> interface FastEthernet0/0
> description x-conn to other 2811
> ip address 10.10.10.1 255.255.255.252
> crypto map GREVPN
> crypto ipsec fragmentation before-encryption
> !
> interface FastEthernet0/1
> ip address <test1 network, test2 is on other 2811>
> !
> ip route <test2 network> 192.0.2.2
>---
> 2811-expt-TWO#sh cry engine acc stat
> Device: AIM-VPN/SSL-2
> Location: AIM Slot: 0
> Virtual Private Network (VPN) Module in slot : 0
> Statistics for Hardware VPN Module since the last clear
> of counters 42 seconds ago
> 126270 packets in 126270 packets out
> 127941213 bytes in 124977694 bytes out
> 3006 paks/sec in 3006 paks/sec out
> 23865 Kbits/sec in 23312 Kbits/sec out
> 42555 packets decrypted 83715 packets encrypted
> 5854456 bytes before decrypt 119123238 bytes encrypted
> 2790517 bytes decrypted 125150696 bytes after encrypt
> 0 packets decompressed 0 packets compressed
> 0 bytes before decomp 0 bytes before comp
> 0 bytes after decomp 0 bytes after comp
> 0 packets bypass decompr 0 packets bypass compres
> 0 bytes bypass decompres 0 bytes bypass compressi
> 0 packets not decompress 0 packets not compressed
> 0 bytes not decompressed 0 bytes not compressed
> 1.0:1 compression ratio 1.0:1 overall
> 4 commands out 4 commands acknowledged
> Last 5 minutes:
> 53276 packets in 53276 packets out
> 1268 paks/sec in 1268 paks/sec out
> 10792372 bits/sec in 10542446 bits/sec out
> 1178581 bytes decrypted 50240550 bytes encrypted
> 235716 Kbits/sec decrypted 10048110 Kbits/sec encrypted
> 1.0:1 compression ratio 1.0:1 overall
> Errors:
> ppq full errors : 0 ppq rx errors : 0
> cmdq full errors : 0 cmdq rx errors : 0
> ppq down errors : 0 cmdq down errors : 0
> no buffer : 0 replay errors : 0
> dest overflow : 0 authentication errors : 0
> Other error : 0 Raw Input Underrun : 0
> IPSEC Unsupported Option: 0 IPV4 Header Length : 0
> ESP Pad Length : 0 IPSEC Decompression : 0
> AH ESP seq mismatch : 0 AH Header Length : 0
> AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0
> IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0
> Unexpected Protocol : 0 Dest Buf overflow : 0
> IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0
> Invalid IP Version : 0 Unwrappable : 0
> SSL Output overrun : 0 SSL Decompress failure : 0
> SSL BAD Decomp History : 0 SSL Version Mismatch : 0
> SSL Input overrun : 0 SSL Conn Modulo : 0
> SSL Input Underrun : 0 SSL Connection closed : 0
> SSL Unrecognised content: 0 SSL record header length: 0
> PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0
> RNG self test fail : 0 DF Bit set : 0
> Hash Miscompare : 0 Unwrappable object : 0
> Missing attribute : 0 Invalid attrribute value: 0
> Bad Attribute : 0 Verification Fail : 0
> Decrypt Failure : 0 Invalid Packet : 0
> Invalid Key : 0 Input Overrun : 0
> Input Underrun : 0 Output buffer overrun : 0
> Bad handle value : 0 Invalid parameter : 0
> Bad function code : 0 Out of handles : 0
> Access denied : 0 Out of memory : 0
> NR overflow : 0 pkts dropped : 0
> Warnings:
> sessions_expired : 0 packets_fragmented : 0
> general: : 0
> HSP details:
> hsp_operations : 35231 hsp_sessions : 3
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
Jens S Andersen Email: jsa at adm.aau.dk
Aalborg University Telf: 9940 9464
Selma Lagerlöfs Vej 300, 4.1.03 Fax: 9940 7593
9220 Aalborg
Denmark
More information about the cisco-nsp
mailing list