02-21-2008 07:32 AM - edited 02-21-2020 03:34 PM
Hello,
I have a 10 meg pipe between 2 sites, and want to encrypt the traffic as it travels through the pipe. I have 2 2800 series routers to do this. My set up is as follows:
site1 lan(192.168.1.x)
site2 lan(10.83.1.x)
site1 p2p WAN interface 10.254.254.253
site2 p2p WAN interface 10.254.254.254
My problem is when I ping the WAN interface of router 2 (10.254.254.253) from site1 (192.168.1.x) I get reponses of <1ms. When I ping from site 1 (192.168.1.x) to site 2 (10.83.1.x) I am getting reponses of 3ms. I know that is b/c I am encrypting that traffic, but it seems that I shouldn't have a 300% increase. My relevant configs for both routers are below. Any help in speeding things up would be greatly appreciated.
Site1
version 12.4
!
hostname site1
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
ip cef
!
no ip bootp server
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address 10.254.254.254
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 10.254.254.254
set peer 10.254.254.254
set transform-set ESP-3DES-SHA
match address 101
!
interface FastEthernet0/0
description metro ethernet subnet
bandwidth 10240
ip address 10.254.254.253 255.255.255.252
duplex full
speed 100
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description internal site1 lan
ip address 192.168.1.8 255.255.255.0
duplex auto
speed auto
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.83.1.0 255.255.255.0 FastEthernet0/0
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.83.1.0 0.0.0.255
!
control-plane
!
scheduler allocate 20000 1000
Site2
version 12.4
!
hostname site2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
ip domain name yourdomain.com
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address 10.254.254.253
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 10.254.254.253
set peer 10.254.254.253
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface GigabitEthernet0/0
description metro ethernet subnet
bandwidth 10240
ip address 10.254.254.254 255.255.255.252
duplex full
speed 100
no mop enabled
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
ip address 10.83.1.8 255.255.255.0
duplex auto
speed auto
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.83.1.1
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
!
no ip http server
!
access-list 100 permit ip 10.83.1.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
02-21-2008 08:39 AM
Are you experiencing IP fragmentation? i had a similar problem with a gre/ipsec tunnel between an ASA5500 and an 1800 Router. Was running at a snails pace until we changed the MTU to 1440 in line with the Cisco doc http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml . once the MTU was changed, fragmentation stopped and the tunnel was significantly faster (although remote end users had problems accessing some websites like Hotmail, MSN until we changed their PC MTU to match the tunnel).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide