Daniel, I reread my original post and did something I've done before: Been so involved in thinking about a problem I left out perhaps the most important piece of info thinking that everybody would know what I was working on. I'm not sure if that's attributable to presenile dementia or just having a one track mind. :-)
Here's the description of the problem with more specifics - We have a Cisco 3015 VPN Concentrator connected to the Internet via a T1. Our vendor has a Netopia R9100 router connected to the Internet via DSL. I've set up a LAN to LAN IPSec tunnel between the two that works fine right up until I attempt to send actual data across (i.e.ICMP traffic passes because of small packet size but true data does not). When I test for the point that data fails due to too large packet size on the side of the Netopia router I find that somewhere between 1350 bits and 1375 bits I have near 100% transmission success (send multiple pings into the Netopia's network via the IPSec tunnel with different data sizes to find a 100% reply rate as well as watch packets on the Netopia until the number of fragments reduces to none for the ping session). There appears to be no way to reduce or increase MTU size on either device which leaves me with finding a way to reduce the size of the IPSec header. My first thoughts are to change from SHA to MD5 authentication (160 bits to 128?), and change the Diffie-Hellman Group setting from Group 2 to Group 1 (1024 bits vs 768). I have no idea if this will affect header size since I don't understand IPSec beyond setting it up. I'll begin/rebegin working on this problem Monday and search CCO for that type of info. Any suggestions would be appreciated (and yes, I too would like for them to get a better router). Thanks, David Armstrong ""Daniel Cotts"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I'm not quite sure exactly what boxes form the IPSec relationship. Are you > saying (a) the Netopia talks directly to the 3015 or (b) PCs (who would have > VPN Client software) on the LAN side of the Netopia are talking to the 3015? > When installing the VPN Client you are prompted to change the MTU size I > believe to 1460. > Make sure that the Netopia isn't blocking your traffic. Try this: > http://www.cisco.com/warp/public/471/vpn_3000_faq.shtml#Q3 > > You might want the entire FAQ section. Just leave off the #Q3 of the above > URL. > One level higher - watch the wrap: > http://www.cisco.com/warp/public/471/top_issues/vpn/vpn_index.shtml > > > -----Original Message----- > > From: David Armstrong [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 21, 2002 12:31 PM > > To: [EMAIL PROTECTED] > > Subject: Re: 3015 VPN Concentrator & MTU's [7:39010] > > > > > > Unfortunately the Netopia's MTU size can't be changed so nothing is an > > option. I'm interested in your thought on which side needs > > changing though. > > Packets larger than (somewhere around) 1400 bits can't > > traverse the Netoia > > R9100 but can traverse the 3015 VPN Concentrator. To me that > > would seem to > > mean that the size of the packets sent from the 3015 to the > > Netopia are too > > large for the Netopia. Increasing the Netopia's MTU would > > allow it to see > > larger frames and therefore not fragment them as they come > > across. Since I'm > > able to sit on the Netopia and send packets across the 3015 > > into our network > > but am unable to send them from inside the Netopia's network > > across to the > > 3015 it seems that the problem is stemming from too small MTU > > size on the > > Netopia (packet comes to the inside interface of the Netopia R9100, is > > encapsulated and framed with an IPSec header added to the frame for > > encryption then sent to the outside interface of the Netopia. > > The outside > > interface fragments frames greater than 1500 bits and thus > > sends fragments > > out the DSL modem into the Internet - I think). > > > > I could be thinking in the wrong direction though and if I am > > would like to > > get thinking in the right. Currently it doesn't appear that I > > can decrease > > or increase MTU size on either device which leaves me thinking that my > > options are two: get a router to replace the Netopia that > > allows changes to > > MTU or change the settings for IPSec to decerase the size of > > the header it > > adds to the packet when the frame is created. I'm focusing on > > the second > > now. I need to get a better understanding of the components > > of IPSec first > > though. > > > > Thanks for you input, > > > > David Armstrong > > > > > > ""Daniel Cotts"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Seems that you need to decrease the MTU on the client (Netopia) side > > rather > > > than increase it. > > > > > > > -----Original Message----- > > > > From: David Armstrong [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 11:17 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: 3015 VPN Concentrator & MTU's [7:39010] > > > > > > > > > > > > We have a 3015 VPN concentrator that I've connected to a > > > > vendor who has a > > > > Netopia R9100 router with a DSL (PPOE) connection to the > > Internet. The > > > > tunnel is fine but anything larger than ICMP dies. From > > > > talking to Netopia's > > > > tech support the problem is that the Netoia R9100 with PPOE > > > > supports MTU's > > > > of 1500 bits and can't be increased. I've sent pings > > with larger data > > > > packets and, sure enough, they died too. Given the vendor's > > > > equipment the > > > > solution appears to be to decrease MTU size on the 3015; > > > > however, I can't > > > > find a way to do this. > > > > > > > > Does anyone have any suggestions? > > > > > > > > Thanks, > > > > > > > > David Armstrong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39194&t=39194 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
