IPsec over GPRS

Kjetil Fleten · ‎01-02-2007

I have a scenario with a IPsec tunnel between two 851 routers. The first router have a public IP address and is connected to a cable modem. The second router have a private IP address, and is connected to a GPRS modem with a dynamic private IP address from the service provider.

An IPsec tunnel is established, and the VPN-led on both routers are on. When running a test from SDM, the report says that the tunnel is fine, but that ping is failing due to the MTU size. I have issued the 'crypto ipsec df-bit clear' command to interface fa4 on both routers, but the problem persist. Any suggestions ?

carenas123 · ‎01-09-2007

The VPN Client now adjusts the Maximum Transmission Unit (MTU) size. The Set MTU Utility option is no longer a required installation step and has been removed from the Start menu. Use Internet Explorer in order to access the Set MTU Utility option. You can also choose Start > Run, choose Browse, and navigate to the Cisco Systems VPN Client directory.

Kjetil Fleten · ‎01-11-2007

The VPN client is not a PC, but a Cisco 851 router. The complains about MTU size is from within the SDM on the router. So when the router itself complains, there must be additional configurations to do on the router ?

5220 · ‎01-11-2007

Hi,

On the VPN interfaces add the command: ip mtu

If the users start experiencing problems, like no email replications, then the TCP is failing due to the hosts not receiving notifications from the router about the MTU lower than the Etherent.

In this case you add the command on the VPN interface interface: ip tcp adjust-mss

This will trick the TCP at handshake to use a lower payload to match your MTU.

Your ping will not work if you choose "DF set", but i can assure you the TCP will work.

UDP will never get that large so don't worry about it.

Check http://cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

Please rate if this helped.

Regards,

Daniel

Kjetil Fleten · ‎02-01-2007

By sending ping to a DNS server on the internet, I find that the MTU is 1472 through the GPRS (Not through VPN). I have added "ip mtu 1472" on both the WAN interface (fa4) and the LAN interface (VLAN1) on both routers. I have also applied the "ip tcp adjust-mss 1412" on both interfaces on both routers. I have removed the "crypto ipsec df-bit" on all interfaces.

I still get the same message from the VPN test in SDM that the VPN is OK, but the MTU might have a problem (Se attachment). The VPN lamp on both routers are on, but ping, telnet and http through the VPN still fails ?

5220 · ‎02-01-2007

Hi, on both LAN interfaces of the routers issue the command:

ip tcp adjust-mss 1300

This will trick the hosts to lower the maximum communication load. This works for TCP.

Ping will still say MTU problem, just ignore it.

UDP packets never gets that big, so no worries.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm

Please rate if this helped.

Regards,

Daniel

Kjetil Fleten · ‎02-01-2007

I guess that making "ip tcp adjust-mss 1300" on interface vlan1 on both routers is just as good as doing it on interfaces fa0 to fa3 ? The command is now applied, but the problem persist. The LAN ip adress of the remote router is 192.168.0.1. I'm not able to telnet or start SDM via my browser over the VPN.

The running config is attached (VPNconfig)

5220 · ‎02-02-2007

Hi,

On the crypto map interface (F4) there should be no mtu statement:

no ip mtu 1472

no ip tcp adjust-mss 1412

Kjetil Fleten · ‎03-12-2007

I have now removed the "ip mtu 1472" and "ip tcp adjust-mss 1412" on both routers, but the problem persist.