Re: L2TPV3 over IPSEC bridging

bdecout · ‎08-02-2007

I'm trying to bridge a VLan using L2TPV3 over IPSEC.

Everything is working properly when the computers have an MTU manually lowered to 1300. But it doesn't work for computers with default MTU.

The show L2tp session all shows no packets being dropped because of MTU so it seems that it is the IPSEC encapsulation that is making the packets too big.

I've tried using IP TCP ADJUST-MSS as well as lowering the MTU on the router interfaces but it doesn't help.

Cisco bug CSCek46765 mention a problem with LT2PV3 over GRE which could be the one I'm hitting here but the workaround of using IP MTU 1538 doesn't work for me as loopback interfaces can't be set with an MTU that big.

Is anybody successfully running LT2PV3 over IPSEC. What did you do to fix the MTU issue?

Thanks

bdecout · ‎08-02-2007

Problem solved.

"IP PMTU" command had to be removed from the pseudowire-class.

Thanks

steve_mils · ‎12-08-2008

Removing that command will mean that you will see fragmentation - meaning traffic will get process-switched leading to high CPU load on your device. Did you ever experience this? If so did you solve the problem another way?

I ask because we see the same problem. We need 'ip pmtu' to stop CPU problems but at the same time we can't have it because it breaks some servers! Catch-22.

Marcin Zgola · ‎10-03-2007

can you email me a copy of your config?

I am trying to do same thing

thanks

CCIE 18676

bdecout · ‎10-04-2007

pseudowire-class vlan-xconnect

encapsulation l2tpv3

ip local interface Loopback1

ip tos reflect

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxx address 12.55.144.12

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 12.55.144.12

set peer 12.55.144.12

set transform-set ESP-AES256-SHA

match address 100

!

interface Null0

no ip unreachables

!

interface Loopback1

description L2TPv3 Tunnel Source

ip address 172.20.20.251 255.255.255.255

ip mtu 1420

ip tcp adjust-mss 1300

!

interface FastEthernet0

description $ETH-LAN$$FW_OUTSIDE$

ip address 24.x.x.215 255.255.255.240

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

no ip address

ip mtu 1400

ip tcp adjust-mss 1300

xconnect 172.20.20.250 1 pw-class vlan-xconnect

!

ip route 0.0.0.0 0.0.x.x.155.121.209

access-list 102 permit ahp host 12.55.144.12 host 24.155.121.215

access-list 102 permit esp host 12.55.144.12 host 24.155.121.215

access-list 102 permit udp host 12.55.144.12 host 24.155.121.215 eq isakmp

access-list 102 permit udp host 12.55.144.12 host 24.155.121.215 eq non500-isakmp

access-list 102 remark IPSec Rule

access-list 102 permit ip host 172.20.20.250 host 172.20.20.251

access-list 102 deny ip any any log

Marcin Zgola · ‎10-04-2007

hmm.

Ok, I am not sure if i am asking to much, but how this VLAN tunneling excatly works? Can you email me configuration on both ends?

Here is what I am trying to do:

SW1 (3VLANS) --- Router --- IPSEC/VPN --- ROUTER --- (3VLANS) --- SW2

When you look at this. I want Sw1, and sw2 to share same VLANid and broadcast domain.

Is this possible?

CCIE 18676

bdecout · ‎10-04-2007

The other end is exactly the same config , just reverse the IP adresses.

First establish your IPSEC tunnel.

When you can ping the loopback IP from each side, apply the xconnect and pseudo-wire class.

What you want to do is possible , however this config will only let you share a single Vlan.

praetoleiad · ‎03-13-2014

hi,

has this been resolved? i am facing this concern also.

newbieregarded · ‎01-03-2024

Would you still be able to add an IP address to VLAN 1?