Re: PIX to IOS ipsec vpn works but no dice running windows termi

jbouwkamp · ‎10-24-2002

Hi all, I have a remote pix (branch office with cable modem) running a VPN tunnel over the Internet to a 2600 router(HQ) which works great. Standard stuff like pings, FTP, Telnet, and WWW work just fine through the VPN. The customer wants to access the Windows terminal server at the HQ from the branch office and it just won't connect. I don't know much about windows terminal service but the companies IT guy who set it up mentioned that it does its own encryption, could that be affecting the connection through the vpn, what happens when you run two encryptions on a packet? I used Cisco's standard PIX to IOS sample config and both sides have static addresses...thanks for any input in advance.

gfullage · ‎10-24-2002

This could be an MTU issue. Can you send a 1500 byte ping from the remote site to the terminal server? If not, try lowering the size and you'll probably find it starts working somewhere above 1400 bytes.

If this is the case, then you need to lower the packet size each side is sending, which can be nigh impossible usually. You might also find that the terminal server is sending out it's packets with the Don't Fragment bit set, which is causing problems. In later IOS code you can have the router modify this bit as the packet comes into the router so that the router will fragment the packet anyway. Check out http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm and try clearing the bit to see if that helps.

If pings of 1500 do get through though, then you're probably not running into a frgamentation issue. The double encryption *shouldn't* be a problem, but you could see if there's a way to turn that off. Having said that, I've run terminal services thru IPSec tunnels before with no issue.

jbouwkamp · ‎10-27-2002

looks like your right on the money, I can't ping 1500 byte packets through the vpn because the main site is using a ISDN that is limited to 1492. Current IOS on the 2600 does not allow modifiying the Don't fragment bit. Is there a debug command I could use to verify the packets are being dropped...I'm not to familiar with debug usage. The remote client is a dumb terminal so I doubt I could change the MTU though I could probably change it on the Terminal server at the main site. Any more thoughts or ideas would be appreciated! thanks.

gfullage · ‎10-27-2002

If the 2600 doesn't have the crypto DF stuff, then there's one other way to turn it off, although again not all IOS's support it. Try adding a route-map in the config like this:

route-map dfclear permit 10

set ip df 0

If you have the "ip df" option under the route-map, then you're in luck. On your inside interface add the following:

interface Ethernet0

description Interface to inside hosts

ip policy route-map dfclear

This will set the DF bit to 0 as packets come in the inside interface, allowing the router to fragment it as it goes out the outside interface.

jbouwkamp · ‎10-28-2002

problem solved, I was totally on the wrong track. I turned on ICMP packet debugging and spotted the 2600 translating terminal server ICMP packets (not sure why it uses ICMP packets but oh well) into a global IP address. I had thought that packets would hit the tunnel before translating through a static nat command but I guess I was wrong and will never make that mistake again. Removing the static translation on port 3389 fixed the problem. thanks for the help though! I should have posted the running config, you probably would have spotted it.

PIX to IOS ipsec vpn works but no dice running windows terminal services