Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
4
Replies

LAN-to-LAN Tunnel between VPN 3000 and Cisco 1721

Go to solution
mnlatif
Level 3
Level 3

‎11-11-2002 03:55 PM - edited ‎02-21-2020 12:10 PM

Hi,

I have a current LAN-to-LAN tunnel setup between VPN 3000 (3.6) and Cisco 1721 (12.2(11)T).

When i use Encryption = Des-56 and Authentication = ESP\MD5\HMAC-128 for the IPSec SA, everything works fine.

However i want to Turn-off encryption for sometime to get some speed improvements, so i changed

Encryption = esp-null (in 1721) and to "null" in VPN-3000.

Now the tunnel gets setup but i can only pass ICMP traffic. When i pass UDP\TCP traffic the below message appears on Cisco 1721

%C1700_EM-1-ERROR: packet-rx error: pad size error, id 75, pool offset 0

Has anyone seen this behaviour ?

Has anyone implemented an IPSec Tunnel with only ESP Authentication and NO encryption between VPN-3000 and Cisco 1721 ?

Thanx \\ Naman

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kdurrett
Level 3
Level 3

‎11-14-2002 09:13 AM

Naman,

Did you turn off the vpn accelerator? "no crypto engine accel". Pretty sure you cant do null with an vpn module.

Kurtis Durrett

View solution in original post

0 Helpful
4 Replies 4

Go to solution
kdurrett
Level 3
Level 3

‎11-14-2002 09:13 AM

Naman,

Did you turn off the vpn accelerator? "no crypto engine accel". Pretty sure you cant do null with an vpn module.

Kurtis Durrett

0 Helpful

Go to solution
mnlatif
Level 3
Level 3
In response to kdurrett

‎11-14-2002 09:37 AM

Hi Kurtis,

That solved the issue..! Thanx

This brings up another question, if protecting\encrypting the data is not an issue then should i go with

1. Encryption using the Accelerator engine

OR

2. Null ENcryption without the Accelerator.

I am thinking that even if NO Accelerator is used with Null encrption, option 2 would still be faster (as i have seen with Ping Times) ?

0 Helpful

Go to solution
kdurrett
Level 3
Level 3
In response to mnlatif

‎11-14-2002 10:10 AM

What is the ping time difference with/without encryption? You might be having another problem. You have a vpn router with accelerator card and you are doing vpn, why wouldnt you be using encryption in this scenario? I guess if its not an issue, you can always go with just gre, if its R2R. There will be some overhead with ipsec, but it shouldnt be a huge difference. Try running a debug ip icmp and do your ping test as well. Maybe even try sending a file, with encryption. This will give us a clue whether or not your experiencing a mtu issue which is quite typical with ipsec. 12.2.11T for ipsec, bleh. But that can be addressed later.

Kurtis Durrett

0 Helpful

Go to solution
mnlatif
Level 3
Level 3
In response to kdurrett

‎11-14-2002 10:24 AM

Avg. Difference is around 24ms for each ping request (1024 Bytes each).

GRE is not an option as it is from Router to VPN 3000.

I would try with a file transfer to get more accurate results.

Is there any information about the MTU issue, you are reffering to ?

Thanx \\ Naman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents