Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

LAN-to-LAN Tunnel between VPN 3000 and Cisco 1721

Hi,

I have a current LAN-to-LAN tunnel setup between VPN 3000 (3.6) and Cisco 1721 (12.2(11)T).

When i use Encryption = Des-56 and Authentication = ESP\MD5\HMAC-128 for the IPSec SA, everything works fine.

However i want to Turn-off encryption for sometime to get some speed improvements, so i changed

Encryption = esp-null (in 1721) and to "null" in VPN-3000.

Now the tunnel gets setup but i can only pass ICMP traffic. When i pass UDP\TCP traffic the below message appears on Cisco 1721

%C1700_EM-1-ERROR: packet-rx error: pad size error, id 75, pool offset 0

Has anyone seen this behaviour ?

Has anyone implemented an IPSec Tunnel with only ESP Authentication and NO encryption between VPN-3000 and Cisco 1721 ?

Thanx \\ Naman

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: LAN-to-LAN Tunnel between VPN 3000 and Cisco 1721

Naman,

Did you turn off the vpn accelerator? "no crypto engine accel". Pretty sure you cant do null with an vpn module.

Kurtis Durrett

4 REPLIES
Community Member

Re: LAN-to-LAN Tunnel between VPN 3000 and Cisco 1721

Naman,

Did you turn off the vpn accelerator? "no crypto engine accel". Pretty sure you cant do null with an vpn module.

Kurtis Durrett

Community Member

Re: LAN-to-LAN Tunnel between VPN 3000 and Cisco 1721

Hi Kurtis,

That solved the issue..! Thanx

This brings up another question, if protecting\encrypting the data is not an issue then should i go with

1. Encryption using the Accelerator engine

OR

2. Null ENcryption without the Accelerator.

I am thinking that even if NO Accelerator is used with Null encrption, option 2 would still be faster (as i have seen with Ping Times) ?

Community Member

Re: LAN-to-LAN Tunnel between VPN 3000 and Cisco 1721

What is the ping time difference with/without encryption? You might be having another problem. You have a vpn router with accelerator card and you are doing vpn, why wouldnt you be using encryption in this scenario? I guess if its not an issue, you can always go with just gre, if its R2R. There will be some overhead with ipsec, but it shouldnt be a huge difference. Try running a debug ip icmp and do your ping test as well. Maybe even try sending a file, with encryption. This will give us a clue whether or not your experiencing a mtu issue which is quite typical with ipsec. 12.2.11T for ipsec, bleh. But that can be addressed later.

Kurtis Durrett

Community Member

Re: LAN-to-LAN Tunnel between VPN 3000 and Cisco 1721

Avg. Difference is around 24ms for each ping request (1024 Bytes each).

GRE is not an option as it is from Router to VPN 3000.

I would try with a file transfer to get more accurate results.

Is there any information about the MTU issue, you are reffering to ?

Thanx \\ Naman

200
Views
0
Helpful
4
Replies
CreatePlease to create content