site to site layer 2 tunnel with router and pix 501

libliblib · ‎02-05-2010

I need to create a layer 2 tunnel with a router and a pix 501 and each end. But, if I use IPsec on a the pix501, the throughput is only 5 or so mpbs. Cleartext on a 501 is 60mbps. I can setup a psuedowire on the router, but I don't think the pix 501 supports it? Any ideas? Can I use ipsec with l2tp tunnel, but some how turn off encyrtion to get more throughput?

johnnylingo · ‎02-05-2010

The obvious question to ask here is what your business requirement is. If traffic must be encrypted and you need over 4.5 Mbps of throughput, then it's time to replace the PIX 501 with an ASA5505 or 800 series router.

If encryption isn't a firm requirement, one compromise might be to configure the IPSec tunnel with AH rather than ESP. You'll still get pretty high throughput and be protected against the data being modified. However, it will not be encrypted.

libliblib · ‎02-05-2010

Encryption is not a requirement, but we do need more than 5mbps throughput.

Is it possible to setup a straight l2tp tunnel on the 501?

johnnylingo · ‎02-08-2010

Yes, the PIXes do support L2TP. Here's a sample config for version 6.3 to a Windows 2000 box:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml

But if your L2TP tunnel requires encryption, I'm pretty sure you will be knocked down to 4.5 Mb/s throughput.

If it were me, and the other device was a router, I'd just use IPSec w/ AH.

libliblib · ‎02-12-2010

Yes the other device is a 7206 router.

How can I setup IPsec with just AH to get the throughput high as possible?

Arup Dutta · ‎02-05-2010

Hi,

libliblib....Pix 501 do not support tunneling if want to use tunnel you can go through upper version of pix or ASA

if it help full please give me rateing

thanks you,

Arup