L2TPV3 over IPSEC bridging

Unanswered Question

I'm trying to bridge a VLan using L2TPV3 over IPSEC.

Everything is working properly when the computers have an MTU manually lowered to 1300. But it doesn't work for computers with default MTU.

The show L2tp session all shows no packets being dropped because of MTU so it seems that it is the IPSEC encapsulation that is making the packets too big.

I've tried using IP TCP ADJUST-MSS as well as lowering the MTU on the router interfaces but it doesn't help.

Cisco bug CSCek46765 mention a problem with LT2PV3 over GRE which could be the one I'm hitting here but the workaround of using IP MTU 1538 doesn't work for me as loopback interfaces can't be set with an MTU that big.

Is anybody successfully running LT2PV3 over IPSEC. What did you do to fix the MTU issue?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
steve_mils Mon, 12/08/2008 - 07:12

Removing that command will mean that you will see fragmentation - meaning traffic will get process-switched leading to high CPU load on your device. Did you ever experience this? If so did you solve the problem another way?

I ask because we see the same problem. We need 'ip pmtu' to stop CPU problems but at the same time we can't have it because it breaks some servers! Catch-22.

Marcin Zgola Wed, 10/03/2007 - 14:40

can you email me a copy of your config?

I am trying to do same thing


pseudowire-class vlan-xconnect

encapsulation l2tpv3

ip local interface Loopback1

ip tos reflect


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp policy 2

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxx address



crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to

set peer

set transform-set ESP-AES256-SHA

match address 100



interface Null0

no ip unreachables


interface Loopback1

description L2TPv3 Tunnel Source

ip address

ip mtu 1420

ip tcp adjust-mss 1300


interface FastEthernet0

description $ETH-LAN$$FW_OUTSIDE$

ip address 24.x.x.215

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_1



interface Vlan1

no ip address

ip mtu 1400

ip tcp adjust-mss 1300

xconnect 1 pw-class vlan-xconnect


ip route 0.0.x.x.155.121.209

access-list 102 permit ahp host host

access-list 102 permit esp host host

access-list 102 permit udp host host eq isakmp

access-list 102 permit udp host host eq non500-isakmp

access-list 102 remark IPSec Rule

access-list 102 permit ip host host

access-list 102 deny ip any any log

Marcin Zgola Thu, 10/04/2007 - 08:52


Ok, I am not sure if i am asking to much, but how this VLAN tunneling excatly works? Can you email me configuration on both ends?

Here is what I am trying to do:

SW1 (3VLANS) --- Router --- IPSEC/VPN --- ROUTER --- (3VLANS) --- SW2

When you look at this. I want Sw1, and sw2 to share same VLANid and broadcast domain.

Is this possible?


This Discussion