Site to Site VPN over 10meg pipe help with speed issues

joneschw1 · ‎02-21-2008

Hello,

I have a 10 meg pipe between 2 sites, and want to encrypt the traffic as it travels through the pipe. I have 2 2800 series routers to do this. My set up is as follows:

site1 lan(192.168.1.x)

site2 lan(10.83.1.x)

site1 p2p WAN interface 10.254.254.253

site2 p2p WAN interface 10.254.254.254

My problem is when I ping the WAN interface of router 2 (10.254.254.253) from site1 (192.168.1.x) I get reponses of <1ms. When I ping from site 1 (192.168.1.x) to site 2 (10.83.1.x) I am getting reponses of 3ms. I know that is b/c I am encrypting that traffic, but it seems that I shouldn't have a 300% increase. My relevant configs for both routers are below. Any help in speeding things up would be greatly appreciated.

Site1

version 12.4

!

hostname site1

!

ip subnet-zero

no ip source-route

no ip gratuitous-arps

!

ip cef

!

no ip bootp server

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address 10.254.254.254

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 10.254.254.254

set peer 10.254.254.254

set transform-set ESP-3DES-SHA

match address 101

!

interface FastEthernet0/0

description metro ethernet subnet

bandwidth 10240

ip address 10.254.254.253 255.255.255.252

duplex full

speed 100

no mop enabled

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

description internal site1 lan

ip address 192.168.1.8 255.255.255.0

duplex auto

speed auto

no mop enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 10.83.1.0 255.255.255.0 FastEthernet0/0

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.83.1.0 0.0.0.255

!

control-plane

!

scheduler allocate 20000 1000

Site2

version 12.4

!

hostname site2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip subnet-zero

no ip source-route

no ip gratuitous-arps

!

ip cef

!

no ip bootp server

ip domain name yourdomain.com

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address 10.254.254.253

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 10.254.254.253

set peer 10.254.254.253

set transform-set ESP-3DES-SHA

match address 100

!

interface GigabitEthernet0/0

description metro ethernet subnet

bandwidth 10240

ip address 10.254.254.254 255.255.255.252

duplex full

speed 100

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

ip address 10.83.1.8 255.255.255.0

duplex auto

speed auto

no mop enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.83.1.1

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0

!

no ip http server

!

access-list 100 permit ip 10.83.1.0 0.0.0.255 192.168.1.0 0.0.0.255

no cdp run

andrewswanson · ‎02-21-2008

Are you experiencing IP fragmentation? i had a similar problem with a gre/ipsec tunnel between an ASA5500 and an 1800 Router. Was running at a snails pace until we changed the MTU to 1440 in line with the Cisco doc http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml . once the MTU was changed, fragmentation stopped and the tunnel was significantly faster (although remote end users had problems accessing some websites like Hotmail, MSN until we changed their PC MTU to match the tunnel).