05-22-2014 07:09 AM
Dear Community,
Can one influence the max. packet size of ISAKMP packets of the other party when creating site-to-site VPN just like the analogy when you use "ip tcp adjust-mss" and inform the other party about our max. MSS?
Thing is: I try to establish a cert. based site-to-site VPN and the local ISP's Layer 1/2 devices (of the branch router) are dropping packets (without ICMP notification) larger than 1452 bytes and DF bit set (as ISAKMP set it..). This happens to us: the branch office router don't receive the cert. of the concentrator because it is about 1800 bytes long (fragmented to two 1500+300 bytes packets) and the branch router goes back from MM5 state to Phase 1 because of the MM4 retransmissions. The concentrator has a lot of VPN tunnels so I cannot change anything on that part but I got the idea to somehow influence the packet size from the branch router just like when one configure "ip tcp adjust-mss" and influences the other side of the TCP session to lower the packet size/MSS. The router is a Cisco 3925 with IOS 15.1(2)T5 at the moment.
Is it possible somehow?
Sincerely,
Norbert