11-11-2002 03:55 PM - edited 02-21-2020 12:10 PM
Hi,
I have a current LAN-to-LAN tunnel setup between VPN 3000 (3.6) and Cisco 1721 (12.2(11)T).
When i use Encryption = Des-56 and Authentication = ESP\MD5\HMAC-128 for the IPSec SA, everything works fine.
However i want to Turn-off encryption for sometime to get some speed improvements, so i changed
Encryption = esp-null (in 1721) and to "null" in VPN-3000.
Now the tunnel gets setup but i can only pass ICMP traffic. When i pass UDP\TCP traffic the below message appears on Cisco 1721
%C1700_EM-1-ERROR: packet-rx error: pad size error, id 75, pool offset 0
Has anyone seen this behaviour ?
Has anyone implemented an IPSec Tunnel with only ESP Authentication and NO encryption between VPN-3000 and Cisco 1721 ?
Thanx \\ Naman
Solved! Go to Solution.
11-14-2002 09:13 AM
Naman,
Did you turn off the vpn accelerator? "no crypto engine accel". Pretty sure you cant do null with an vpn module.
Kurtis Durrett
11-14-2002 09:13 AM
Naman,
Did you turn off the vpn accelerator? "no crypto engine accel". Pretty sure you cant do null with an vpn module.
Kurtis Durrett
11-14-2002 09:37 AM
Hi Kurtis,
That solved the issue..! Thanx
This brings up another question, if protecting\encrypting the data is not an issue then should i go with
1. Encryption using the Accelerator engine
OR
2. Null ENcryption without the Accelerator.
I am thinking that even if NO Accelerator is used with Null encrption, option 2 would still be faster (as i have seen with Ping Times) ?
11-14-2002 10:10 AM
What is the ping time difference with/without encryption? You might be having another problem. You have a vpn router with accelerator card and you are doing vpn, why wouldnt you be using encryption in this scenario? I guess if its not an issue, you can always go with just gre, if its R2R. There will be some overhead with ipsec, but it shouldnt be a huge difference. Try running a debug ip icmp and do your ping test as well. Maybe even try sending a file, with encryption. This will give us a clue whether or not your experiencing a mtu issue which is quite typical with ipsec. 12.2.11T for ipsec, bleh. But that can be addressed later.
Kurtis Durrett
11-14-2002 10:24 AM
Avg. Difference is around 24ms for each ping request (1024 Bytes each).
GRE is not an option as it is from Router to VPN 3000.
I would try with a file transfer to get more accurate results.
Is there any information about the MTU issue, you are reffering to ?
Thanx \\ Naman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: