VPN over gprs

Unanswered Question
Feb 23rd, 2007

Hi everyone!

I have set up vpn remote tunnel from xp sp2 with easyvpn client to an asa 5510 head. The connection works from cable remotes, but not over a gprs connection.

Since ping works, I assumed it might be MTU related so I kept decreasing the mtu on both the gprs network interface and on that of the easyvpn. However, nothing happened (I got as low as MTU 500).

Our service provider uses private addresses so nat-t is set. the client connects, asks for the username with xauth, the connection seems to establish, but the tcp connections usually stop at SYN/ACK or ACK.

On the out1 IF of the head pre-fragmentation is enabled and DF bit is set to clear. I was thinking about decreasing the mtu on the out1 interface, but since the device is localted at a data center and is serving traffic on the same outside inferface, I was afraid that lowering the mtu on the out1 would result in slower transfers / higher cpu utilization of the fw.

What else should I try?

Any help is greatly appreciated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tamasfromhungary Mon, 02/26/2007 - 04:25

Thanks for helping. Yes built in the firewall is enabled, but since the config works on broadband this is probably not the cause.

The problem is only over gprs so that why I thought this might be network related rather than config issue



tamasfromhungary Tue, 02/27/2007 - 05:08

Since it seems, that no one has any ideas, I am going to try to reduce the mtu on the outside interface. I have read somewhere the mtu site does not affect the packet passing through. so does anyone know if the reduction of the mtu on the outside if will reduce performance from and to the webserver on an other interface?

stewartrc Tue, 02/27/2007 - 08:25

Which Access point are you using and what GPRS provider> If it is Cingular you must use isp.congular wap.cingular is not compatible with VPN connections.

tamasfromhungary Tue, 02/27/2007 - 13:23

It's a European T-Mobile network, the Internet works fine, I get a full nat'ed net access. It's just the vpn (icmp works but nothing else).

l.jankok Mon, 08/06/2007 - 12:04

I was wondering if you did succedd in getting this working.



electoolhungary Tue, 08/07/2007 - 03:53


it was one of those problems that mysteriously solved itself. I talked to the GSM provider and they told me that they did some modifications in their network config.

Now we are using a totally stock IPSec over UDP tunnel and it works fine even though we get private IP from the telco.



l.jankok Tue, 08/07/2007 - 04:26

You are totally right. We have several providers here in the Netherlands and I was trying this with exactly the one which doesn'r work (Vodafone). With exactly the same windows mobile with exactly the same config but on a different provider I had no problems. Thanks :)


This Discussion