Split tunnel VPN works, internet slow when using VPN tunnel

koekkoekkoek · ‎03-20-2013

Dear reader,

I've been trying to get this split tunnel working for quite some time now.

I'm using the VPN tunnel to monitor some devices on a different location.

Theres full access to the remote site and the site has access to my monitoringserver.

As far as I know all the settings are made correct and even the vpn tunnel is working.

There are two ACL's making sure the NAT traffic doesn't enter the tunnel and the other making sure the traffic gets encrypted.

I'm using 1841's on both sides which don't seem to be overloaded with traffic.

I've also checked the MTU which seems to be fine.

Once I start monitoring, the remote site experiences heavy lag in their network.

Does anyone have a clue or a solution?

These are the configurations in short, if needed I can send the full config too.

On the other site the ACL's are mirrored.

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 5

lifetime 3600

crypto isakmp key VERENTIS address X.X.X.X (remote peer)

crypto isakmp keepalive 60

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac

crypto map MONITORING 20 ipsec-isakmp

set peer X.X.X.X (remote peer)

set transform-set TRANSFORM

match address CRYPTO

ip access-list extended CRYPTO

permit ip host 10.80.1.15 10.40.1.0 0.0.0.255

ip access-list extended nat_allowed_monitoring

deny ip 10.80.1.0 0.0.0.255 10.40.1.0 0.0.0.255

permit ip 10.80.1.0 0.0.0.255 any

Thanks in advance!

Sincerely Ronald

Javier Portuguez · ‎03-20-2013

Hi Ronald,

I am going to suggest some commands, however in order for us to narrow down the reason, we would need to get packet-captures, check drops on the Router's interface and more.

So, please do the following:

crypto isakmp policy 1

encr aes

hash sha

authentication pre-share

group 2

lifetime 86400

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

!

crypto map MONITORING 20 ipsec-isakmp

no set transform-set TRANSFORM

set transform-set ESP-AES-SHA

!

interface f0/0 ------> this is where the servers are and from where you are sourcing the traffic.

ip tcp adjust-mss 1300

Please make these changes on both VPN endpoints and let me know how it goes.

HTH.

Portu.

koekkoekkoek · ‎03-20-2013

Hello Portu,

I changed these settings and they now look the way you suggested.

Sadly the VPN still works but the problem's still there.

Any suggestions about packet-captures? Since there seem to be no drops in my Crypto session?

Below you can find my configuration and my sh crypto session remote peer detail findings.

crypto isakmp policy 1

encr aes

hash sha

authentication pre-share

group 2

lifetime 86400

!

crypto isakmp key TESTKEY address X.X.X.X (remote peer)

crypto isakmp keepalive 60

crypto ipsec transform-set ESP-AES-SHA esp-aes easp-sha-hmac

crypto map MONITORING 20 ipsec-isakmp

set peer X.X.X.X (remote peer)

set transform-set ESP-AES-SHA

match address CRYPTO

ip access-list extended CRYPTO

permit ip host 10.80.1.15 10.40.1.0 0.0.0.255

ip access-list extended nat_allowed_monitoring

deny ip 10.80.1.0 0.0.0.255 10.40.1.0 0.0.0.255

permit ip 10.80.1.0 0.0.0.255 any

interface FastEthernet0/1

description ### WAN ###

ip address X.X.X.X 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect autosec_inspect in

ip inspect autosec_inspect out

ip virtual-reassembly

ip tcp adjust-mss 1300

duplex auto

speed auto

no mop enabled

crypto map MONITORING

---------------------------------------------------------------------------------------------------------------------

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: X.X.X.X port 500 fvrf: (none) ivrf: (none)

Phase1_id: X.X.X.X remote peer

Desc: (none)

IKE SA: local X.X.X.X/500 remote X.X.X.X/500 Active

Capabilities:D connid:144 lifetime:00:43:04

IPSEC FLOW: permit ip host 10.80.1.15 10.40.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 507370 drop 0 life (KB/Sec) 4398738/634

Outbound: #pkts enc'ed 552083 drop 4 life (KB/Sec) 4398616/634

Thanks so far!

Ronald

Javier Portuguez · ‎03-20-2013

Ronald,

Does this application connect over UDP or TCP?

Thanks.

koekkoekkoek · ‎03-20-2013

Portu,

It uses both TCP and UDP and I'm also using ICMP.

Sincerely,

Ronald

Javier Portuguez · ‎03-20-2013

Ronald,

We would need to get packet captures to isolate the issue, but for now please do the following:

access-list 180 permit tcp any any

!

route-map clear-df-bit permit 10

match ip address 180

set ip df 0

!

interface LAN_INTERFACE

ip policy route-map clear-df-bit

ip tcp adjust-mss 1380

!

Keep me posted.

Thanks.

Message was edited by: Javier Portuguez Correction: ip tcp adjust-mss 1380