Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1044
Views
5
Helpful
6
Replies

Can one influence the max. packet size of ISAKMP packets of the other party when creating site-to-site VPN?

Norbert Rozs
Level 1
Level 1

‎05-22-2014 07:09 AM

Dear Community,

 

Can one influence the max. packet size of ISAKMP packets of the other party when creating site-to-site VPN just like the analogy when you use "ip tcp adjust-mss" and inform the other party about our max. MSS?

Thing is: I try to establish a cert. based site-to-site VPN and the local ISP's Layer 1/2 devices (of the branch router) are dropping packets (without ICMP notification) larger than 1452 bytes and DF bit set (as ISAKMP set it..). This happens to us: the branch office router don't receive the cert. of the concentrator because it is about 1800 bytes long (fragmented to two 1500+300 bytes packets) and the branch router goes back from MM5 state to Phase 1 because of the MM4 retransmissions. The concentrator has a lot of VPN tunnels so I cannot change anything on that part but I got the idea to somehow influence the packet size from the branch router just like when one configure "ip tcp adjust-mss" and influences the other side of the TCP session to lower the packet size/MSS. The router is a Cisco 3925 with IOS 15.1(2)T5 at the moment.

Is it possible somehow?

 

 

Sincerely,
Norbert

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-22-2014 09:25 AM

Norbert, 

Not on IKEv1, I believe there's MTU commands but they are impacting only RA in certain scenarios. 

What you're looking for is easily available in IKEv2. 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book/sec-cfg-ikev2-flex.html#GUID-E5A3890E-0A3B-411D-86C4-A4D08C6E54A9

But on your IOS version you'd have problems sharing IKEv1 and IKEv2 on same source interface. 

M.

 

Norbert Rozs
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-22-2014 09:31 AM

Marcin,

 

Yes, it is correct what you wrote but as I mentioned the concentrator is terminating a lot of other sessions so neither the change to IKEv2 nor change anything on the concentrator is possible to me (plus far as I know this is influencing only the side where you configure the command).

 

 

Norbert

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Norbert Rozs

‎05-22-2014 09:39 AM

Norbert,

This is worth pursuing with the ISP (or switching to IPv6 where you cannot fragment in transit :D).

Alternative, again impacting a wider range, is to decrease the physical MTU, or punt the IKE negotiation traffic (via local policy?) through some path which would cause fragmentation to occur prior to 1500 bytes leaving your environment. 

M.

 

0 Helpful

Norbert Rozs
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-22-2014 09:45 AM

Marcin,

 

We reported it but the ISP cannot do anything with this.. The problem is not with the packets from the branch but from the concentrator - so the alternative solution to change anything on it is not possible. This is why I am chasing a solution to influence the concentrator somehow from the branch router.

 

 

Norbert

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Norbert Rozs

‎05-22-2014 10:06 AM

Norbert, 

There's no provision for this in IKEv1 standards(s), AFAIR, and I don't think it would be on top of the list of demands from most deployments. 

I don't believe there's an easy way to implement anything on branch to influence how HQ behaves. 

You'd need to trigger an unreachable somehow and if you're losing packets that might not be reliable. 

 

Does ISP drop both fragments or one of them? Initial or last?

 

M.

 

0 Helpful

Norbert Rozs
Level 1
Level 1
In response to Marcin Latosiewicz

‎02-19-2015 06:19 AM

Sorry for the late reply.

The ISP is dropping the first of the two packets (the first piece of the cert), we see the second, smaller one.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents