We are trying to install a P2P VPN tunnel using Cisco 7120+SA-ISA as endpoints.
Intranet <--> 7120 <--> WIFI LINK <--> 7120 <--> Intranet
WiFi link, routing and so on works perfectly, iperf shows us 26 Mbits/sec real performance which is fine for 801.11G. Interfaces on 7120s are clean of any errors.
When we enable IPSEC, tunnel is established and visible with "show crypto" commands, status seems to be good.
Wheh we try to ping over the vpn, it works.
When we try to ssh over vpn, it works as well, as long as not much data is passing through.
When we try something intensive like iperf test, scp or simple "find /" in ssh, that connection simply stalls. New connections can be opened in parallel or icmp echo requests can be running without interruption. It all seems as if VPN tunnel disrupt the tcp connection badly when it gets intensive.
Here is config from one of the routers, another is basically the same with different IPs and adjusted match list.
You need to increase the MTU size for the VPN connection. Small MTU size for a VPN connection can cause large packets to get fragmented and sometimes they may get dropped. Increase the MTU size using command "mtu" on both routers. Following link may help you
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...