Hello,

We are trying to install a P2P VPN tunnel using Cisco 7120+SA-ISA as endpoints.

Intranet <--> 7120 <--> WIFI LINK <--> 7120 <--> Intranet

WiFi link, routing and so on works perfectly, iperf shows us 26 Mbits/sec real performance which is fine for 801.11G. Interfaces on 7120s are clean of any errors.

When we enable IPSEC, tunnel is established and visible with "show crypto" commands, status seems to be good.

Wheh we try to ping over the vpn, it works.

When we try to ssh over vpn, it works as well, as long as not much data is passing through.

When we try something intensive like iperf test, scp or simple "find /" in ssh, that connection simply stalls. New connections can be opened in parallel or icmp echo requests can be running without interruption. It all seems as if VPN tunnel disrupt the tcp connection badly when it gets intensive.

Here is config from one of the routers, another is basically the same with different IPs and adjusted match list.

----------------------------------------------------------------------------------------

crypto isakmp policy 10

hash sha

authentication pre-share

crypto isakmp key <censored> address 192.168.4.4

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap local-address FastEthernet0/1

crypto map toindustry 10 ipsec-isakmp

set peer 192.168.4.4

set transform-set myset

match address 101

no access-list 101

access-list 101 permit ip any 192.168.10.0 0.0.0.255

----------------------------------------------------------------------------------------

Plus the "crypto map toindustry" is set on outside interface.

Can someone advise what this could be? Those whole symptoms somehow remind me of duplex mismatches :) But this is not the case here.

Thanks!