site to site layer 2 tunnel with router and pix 501

Unanswered Question
Feb 5th, 2010

I need to create a layer 2 tunnel with a router and a pix 501 and each end. But, if I use IPsec on a the pix501, the throughput is only 5 or so mpbs. Cleartext on a 501 is 60mbps. I can setup a psuedowire on the router, but I don't think the pix 501 supports it? Any ideas? Can I use ipsec with l2tp tunnel, but some how turn off encyrtion to get more throughput?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
johnnylingo Fri, 02/05/2010 - 16:43

The obvious question to ask here is what your business requirement is.   If traffic must be encrypted and you need over 4.5 Mbps of throughput, then it's time to replace the PIX 501 with an ASA5505 or 800 series router.

If encryption isn't a firm requirement, one compromise might be to configure the IPSec tunnel with AH rather than ESP.   You'll still get pretty high throughput and be protected against the data being modified.   However, it will not be encrypted.

libliblib Fri, 02/05/2010 - 16:49

Encryption is not a requirement, but we do need more than 5mbps throughput.

Is it possible to setup a straight l2tp tunnel on the 501?

johnnylingo Mon, 02/08/2010 - 10:00

Yes, the PIXes do support L2TP.  Here's a sample config for version 6.3 to a Windows 2000 box:

But if your L2TP tunnel requires encryption, I'm pretty sure you will be knocked down to 4.5 Mb/s throughput.

If it were me, and the other device was a router, I'd just use IPSec w/ AH.

libliblib Fri, 02/12/2010 - 15:11

Yes the other device is a 7206 router.

How can I setup IPsec with just AH to get the throughput high as possible?

Arup Dutta Fri, 02/05/2010 - 21:35


libliblib....Pix 501 do not support tunneling if want to use tunnel you can go through upper version of pix or ASA

if it help full please give me rateing

thanks you,



This Discussion