[c-nsp] IPSec => Speed problems ?

Stephane MAGAND stmagconsulting at gmail.com
Wed Sep 22 14:44:39 EDT 2010


Hi

i request your help because we have a problems of speed between two
site.

First, connected at 100 Mbits full internet access :

Config (it's a 2821 with AIM card)



crypto isakmp key k5XXXXJJ address 62.aa.bb.cc

crypto isakmp profile VPN001
   keyring default
   match identity address 62.aa.bb.cc 255.255.255.255

crypto ipsec transform-set ipsec_tunnel_001 esp-3des
 mode transport

crypto ipsec profile ipsec_vpn_001
 set transform-set ipsec_tunnel_001
 set isakmp-profile VPN001

interface Tunnel2
 bandwidth 10000
 ip vrf forwarding VPN001
 ip address 172.16.1.1 255.255.255.252
 ip mtu 1440
 ip tcp adjust-mss 1400
 tunnel source GigabitEthernet0/1
 tunnel destination 62.aa.bb.cc
 tunnel protection ipsec profile ipsec_vpn_001
 !
interface GigabitEthernet0/1
 ip address 78.aa.bb.cc 255.255.255.252
 duplex auto
 speed auto
 crypto map ra
 !




The second, connected in Adsl in UK with a cisco 1721 :

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key k5XXXXJJ address 78.aa.bb.cc

crypto isakmp profile vpn
   keyring default
   match identity address 78.aa.bb.cc 255.255.255.255

!
!
crypto ipsec transform-set ipsec_tunnel esp-3des
 mode transport

crypto ipsec profile ipsec_vpn
 set transform-set ipsec_tunnel
 set isakmp-profile vpn
!

interface Tunnel0
 ip address 172.16.1.2 255.255.255.252
 ip mtu 1440
 ip tcp adjust-mss 1400
 tunnel source Dialer0
 tunnel destination 78.aa.bb.cc.dd
 tunnel protection ipsec profile ipsec_vpn
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 ip address 10.11.12.254 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 speed auto
 full-duplex
!
interface Dialer0
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname login at adsl
 ppp chap password 0 thepass
!


Do you think's that my config are good ? the MTU are correct ?
a idea of the problems ?

thanks
Stephane


More information about the cisco-nsp mailing list