03-20-2013 05:56 AM
Dear reader,
I've been trying to get this split tunnel working for quite some time now.
I'm using the VPN tunnel to monitor some devices on a different location.
Theres full access to the remote site and the site has access to my monitoringserver.
As far as I know all the settings are made correct and even the vpn tunnel is working.
There are two ACL's making sure the NAT traffic doesn't enter the tunnel and the other making sure the traffic gets encrypted.
I'm using 1841's on both sides which don't seem to be overloaded with traffic.
I've also checked the MTU which seems to be fine.
Once I start monitoring, the remote site experiences heavy lag in their network.
Does anyone have a clue or a solution?
These are the configurations in short, if needed I can send the full config too.
On the other site the ACL's are mirrored.
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key VERENTIS address X.X.X.X (remote peer)
crypto isakmp keepalive 60
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
crypto map MONITORING 20 ipsec-isakmp
set peer X.X.X.X (remote peer)
set transform-set TRANSFORM
match address CRYPTO
ip access-list extended CRYPTO
permit ip host 10.80.1.15 10.40.1.0 0.0.0.255
ip access-list extended nat_allowed_monitoring
deny ip 10.80.1.0 0.0.0.255 10.40.1.0 0.0.0.255
permit ip 10.80.1.0 0.0.0.255 any
Thanks in advance!
Sincerely Ronald
03-20-2013 06:26 AM
Hi Ronald,
I am going to suggest some commands, however in order for us to narrow down the reason, we would need to get packet-captures, check drops on the Router's interface and more.
So, please do the following:
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map MONITORING 20 ipsec-isakmp
no set transform-set TRANSFORM
set transform-set ESP-AES-SHA
!
interface f0/0 ------> this is where the servers are and from where you are sourcing the traffic.
ip tcp adjust-mss 1300
Please make these changes on both VPN endpoints and let me know how it goes.
HTH.
Portu.
03-20-2013 08:55 AM
Hello Portu,
I changed these settings and they now look the way you suggested.
Sadly the VPN still works but the problem's still there.
Any suggestions about packet-captures? Since there seem to be no drops in my Crypto session?
Below you can find my configuration and my sh crypto session remote peer detail findings.
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key TESTKEY address X.X.X.X (remote peer)
crypto isakmp keepalive 60
crypto ipsec transform-set ESP-AES-SHA esp-aes easp-sha-hmac
crypto map MONITORING 20 ipsec-isakmp
set peer X.X.X.X (remote peer)
set transform-set ESP-AES-SHA
match address CRYPTO
ip access-list extended CRYPTO
permit ip host 10.80.1.15 10.40.1.0 0.0.0.255
ip access-list extended nat_allowed_monitoring
deny ip 10.80.1.0 0.0.0.255 10.40.1.0 0.0.0.255
permit ip 10.80.1.0 0.0.0.255 any
interface FastEthernet0/1
description ### WAN ###
ip address X.X.X.X 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect in
ip inspect autosec_inspect out
ip virtual-reassembly
ip tcp adjust-mss 1300
duplex auto
speed auto
no mop enabled
crypto map MONITORING
---------------------------------------------------------------------------------------------------------------------
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: X.X.X.X port 500 fvrf: (none) ivrf: (none)
Phase1_id: X.X.X.X remote peer
Desc: (none)
IKE SA: local X.X.X.X/500 remote X.X.X.X/500 Active
Capabilities:D connid:144 lifetime:00:43:04
IPSEC FLOW: permit ip host 10.80.1.15 10.40.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 507370 drop 0 life (KB/Sec) 4398738/634
Outbound: #pkts enc'ed 552083 drop 4 life (KB/Sec) 4398616/634
Thanks so far!
Ronald
03-20-2013 09:00 AM
Ronald,
Does this application connect over UDP or TCP?
Thanks.
03-20-2013 09:03 AM
Portu,
It uses both TCP and UDP and I'm also using ICMP.
Sincerely,
Ronald
03-20-2013 09:42 AM
Ronald,
We would need to get packet captures to isolate the issue, but for now please do the following:
access-list 180 permit tcp any any
!
route-map clear-df-bit permit 10
match ip address 180
set ip df 0
!
interface LAN_INTERFACE
ip policy route-map clear-df-bit
ip tcp adjust-mss 1380
!
Keep me posted.
Thanks.
Message was edited by: Javier Portuguez Correction: ip tcp adjust-mss 1380
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide