|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
John Rennie
Guest
|
 Posted: Sat Apr 22, 2006 9:48 pm Post subject: Setting the MTU |
 |
|
I've been getting odd problems with a VPN between two 837 routers and it's
been suggested this is due to fragmentation and that I should decrease the MTU
for the tunnel to 1360.
Can anyone tell me how to modify the config to do this? I believe it's the "ip
tcp adjust" and "ip tcp adjust-mss" but I don't know how and where to use
them. The examples I've found on the web all look much more complicated than
my config.
Thanks,
John Rennie
---------
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096
enable secret <password>
!
username admin password <password>
no aaa new-model
ip subnet-zero
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!ip audit notify log
!ip audit po max-events 100
!no ftp-server write-enable
!
! PPTP dialins
! ============
!
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
exit
exit
!
interface Virtual-Template1
ip unnumbered Ethernet0
peer default ip address pool default
ppp encrypt mppe auto
ppp authentication ms-chap
!
ip local pool default 192.168.128.224 192.168.128.239
!
! VPNs
! ====
!
crypto isakmp policy 1
encryption des
hash sha
authentication pre-share
group 1
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
!
! Connection to head office
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 111.111.111.111
set transform-set tr-des-sha
match address 120
crypto isakmp key <sharedsecret> address 111.111.111.111
!
no access-list 120
access-list 120 remark Site to Site VPN to head office
access-list 120 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 120 deny ip 192.168.128.0 0.0.0.255 any
!
! Connection to branch office
crypto map cm-cryptomap 2 ipsec-isakmp
set peer 222.222.222.222
set transform-set tr-des-sha
match address 121
crypto isakmp key <sharedsecret> address 222.222.222.222
!
no access-list 121
access-list 121 remark Site to Site VPN to branch office
access-list 121 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 121 deny ip 192.168.128.0 0.0.0.255 any
!
! Use a policy map to prevent NAT through the VPN by routing the VPN
! traffic through the loopback adapter
!
route-map nonat permit 10
match ip address 129
set ip next-hop 1.1.1.2
!
no access-list 129
access-list 129 remark Route VPN traffic through the loopback adapter
access-list 129 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 129 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255
!
! Interfaces
! ==========
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.128.254 255.255.255.0
ip nat inside
ip route-cache policy
ip policy route-map nonat
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <adslusername>
ppp chap password <adslpassword>
ppp pap sent-username <adslusername> password <adslpassword>
crypto map cm-cryptomap
no ip route-cache
no ip mroute-cache
hold-queue 224 in
!
! NAT
! ===
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static 192.168.128.1 333.333.333.18
ip nat inside source static 192.168.128.16 333.333.333.19
ip nat inside source static 192.168.128.128 333.333.333.22
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
! Access lists
! ============
!
no access-list 23
access-list 23 remark Allowed to manage the router
access-list 23 permit 192.168.128.0 0.0.0.255
!
no access-list 102
access-list 102 remark Addresses to NAT behind router
access-list 102 deny ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 102 deny ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 102 permit ip 192.168.128.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
no access-list 111
access-list 111 remark Incoming access from the Internet
! ping
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
! VPN
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
! Servers
access-list 111 permit tcp any host 333.333.333.18 eq 21
access-list 111 permit tcp any host 333.333.333.18 eq 25
access-list 111 permit tcp any host 333.333.333.18 eq 53
access-list 111 permit udp any host 333.333.333.18 eq 53
access-list 111 permit tcp any host 333.333.333.18 eq 80
access-list 111 permit tcp any host 333.333.333.18 eq 110
access-list 111 permit tcp any host 333.333.333.18 eq 443
! Allow file sharing access
access-list 111 permit udp any host 333.333.333.19 eq 6257
access-list 111 permit tcp any host 333.333.333.19 eq 6699
access-list 111 permit tcp any host 333.333.333.19 eq 5042
access-list 111 permit udp any host 333.333.333.19 eq 5042
access-list 111 permit tcp any host 333.333.333.19 eq 6346
! Allow incoming NTP
access-list 111 permit udp any any eq 123
! Allow VPN traffic
access-list 111 permit ip 172.31.255.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 111 permit ip 192.168.129.0 0.0.0.255 192.168.128.0 0.0.0.255
! Deny the rest
access-list 111 deny ip any any log
!
dialer-list 1 protocol ip permit
!
! SNMP
! ====
snmp-server community public ro
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
banner motd |
Rattus Hacking Software
You require authorisation to connect to this device.
If you are not authorised to connect to this device please disconnect now.
|
!
end |
|
| Back to top |
|
 |
|
|
James Schnack
Guest
|
| Posted: Sat Apr 22, 2006 10:05 pm Post subject: Re: Setting the MTU |
|
|
Enjoy it... ;-)
http://www.cisco.com/warp/public/105/pmtud_ipfrag.html
Keep in mind that the TCP MSS fix will only apply to TCP traffic, so if
you're having issues with non-TCP services then that won't make it.
The "clear-DF-bit" fix presented on the above doc will affect all IP
traffic, though.
I work daily with VPNs and I've seen these work, so go ahead and try
them. Be aware that this is a workaround and that the correct way of
solving this would be getting your service providers to allow PMTUD
over their networks (IIRC, usual reason for this not working was
incorrect blocking of certain ICMP types). But since that is usually a
herculean task... many end up applying these fixes, which do degrade
performance (although degradation may not be significant, depending on
the situation).
HTH,
James |
|
| Back to top |
|
|
Buzz Lightbeer
Guest
|
| Posted: Sun Apr 23, 2006 2:05 am Post subject: Re: Setting the MTU |
|
|
"John Rennie" <john@notmyrealaddress.co.uk> wrote in message
news:8qqk421rfrh34pg57qvmnkdb5gl67tbjep@4ax.com...
| Quote: | I've been getting odd problems with a VPN between two 837 routers and it's
been suggested this is due to fragmentation and that I should decrease the
MTU
for the tunnel to 1360.
Can anyone tell me how to modify the config to do this? I believe it's the
"ip
tcp adjust" and "ip tcp adjust-mss" but I don't know how and where to use
them. The examples I've found on the web all look much more complicated
than
my config.
Thanks,
John Rennie
---------
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096
enable secret <password
!
username admin password <password
no aaa new-model
ip subnet-zero
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!ip audit notify log
!ip audit po max-events 100
!no ftp-server write-enable
!
! PPTP dialins
! ============
!
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
exit
exit
!
interface Virtual-Template1
ip unnumbered Ethernet0
peer default ip address pool default
ppp encrypt mppe auto
ppp authentication ms-chap
!
ip local pool default 192.168.128.224 192.168.128.239
!
! VPNs
! ====
!
crypto isakmp policy 1
encryption des
hash sha
authentication pre-share
group 1
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
!
! Connection to head office
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 111.111.111.111
set transform-set tr-des-sha
match address 120
crypto isakmp key <sharedsecret> address 111.111.111.111
!
no access-list 120
access-list 120 remark Site to Site VPN to head office
access-list 120 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 120 deny ip 192.168.128.0 0.0.0.255 any
!
! Connection to branch office
crypto map cm-cryptomap 2 ipsec-isakmp
set peer 222.222.222.222
set transform-set tr-des-sha
match address 121
crypto isakmp key <sharedsecret> address 222.222.222.222
!
no access-list 121
access-list 121 remark Site to Site VPN to branch office
access-list 121 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 121 deny ip 192.168.128.0 0.0.0.255 any
!
! Use a policy map to prevent NAT through the VPN by routing the VPN
! traffic through the loopback adapter
!
route-map nonat permit 10
match ip address 129
set ip next-hop 1.1.1.2
!
no access-list 129
access-list 129 remark Route VPN traffic through the loopback adapter
access-list 129 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 129 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255
!
! Interfaces
! ==========
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.128.254 255.255.255.0
ip nat inside
ip route-cache policy
ip policy route-map nonat
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <adslusername
ppp chap password <adslpassword
ppp pap sent-username <adslusername> password <adslpassword
crypto map cm-cryptomap
no ip route-cache
no ip mroute-cache
hold-queue 224 in
!
! NAT
! ===
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static 192.168.128.1 333.333.333.18
ip nat inside source static 192.168.128.16 333.333.333.19
ip nat inside source static 192.168.128.128 333.333.333.22
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
! Access lists
! ============
!
no access-list 23
access-list 23 remark Allowed to manage the router
access-list 23 permit 192.168.128.0 0.0.0.255
!
no access-list 102
access-list 102 remark Addresses to NAT behind router
access-list 102 deny ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 102 deny ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 102 permit ip 192.168.128.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
no access-list 111
access-list 111 remark Incoming access from the Internet
! ping
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
! VPN
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
! Servers
access-list 111 permit tcp any host 333.333.333.18 eq 21
access-list 111 permit tcp any host 333.333.333.18 eq 25
access-list 111 permit tcp any host 333.333.333.18 eq 53
access-list 111 permit udp any host 333.333.333.18 eq 53
access-list 111 permit tcp any host 333.333.333.18 eq 80
access-list 111 permit tcp any host 333.333.333.18 eq 110
access-list 111 permit tcp any host 333.333.333.18 eq 443
! Allow file sharing access
access-list 111 permit udp any host 333.333.333.19 eq 6257
access-list 111 permit tcp any host 333.333.333.19 eq 6699
access-list 111 permit tcp any host 333.333.333.19 eq 5042
access-list 111 permit udp any host 333.333.333.19 eq 5042
access-list 111 permit tcp any host 333.333.333.19 eq 6346
! Allow incoming NTP
access-list 111 permit udp any any eq 123
! Allow VPN traffic
access-list 111 permit ip 172.31.255.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 111 permit ip 192.168.129.0 0.0.0.255 192.168.128.0 0.0.0.255
! Deny the rest
access-list 111 deny ip any any log
!
dialer-list 1 protocol ip permit
!
! SNMP
! ====
snmp-server community public ro
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
banner motd |
Rattus Hacking Software
You require authorisation to connect to this device.
If you are not authorised to connect to this device please disconnect now.
|
!
end
|
You configure the MTU size on the tunnel interface, using the ip mtu
command. This restricts the size of the packets which can be encapsulated by
the tunneling protocol so that you can ensure that the size of the
encapsulated packet does not exceed the mtu size of the transmission media.
This causes the followig effects if the router recieves a packet destined
for the tunnel which has an mtu size which is too large: if the DF flag is
not set the router fragments the packets & send them on thier way; if the DF
flag is set then the packet is discarded and an ICMP type 3 (host
unreachable), code 4 (fragmentation required) packet to the source host
which should then drop the mtu size of the packets it is sending to that
destination.
The problem is that many NOS's (Windows, Tru 64, etc.), do not implement
this correctly & so Cisco developed a "fix", which hacked the tcp segment
size negotiation between hosts, addressing the mtu issue at layer 4. This is
implemented with the ip tcp adjust-mss command, which is applied to any
router interface which will recieve a packet to be forwarded onto the
tunnel, (configuring this on the tunnel interface does not work as the
packets are encapsulated by the tunneling protocol).
Obviously the segment size is lower then the mtu size by the amount of space
the IP header takes up. For example, for L2TP the mtu size is 1460, the
equivalent segment size is 1420 bytes, which will result in a L2TP
encapsulated packet of 1500 bytes, which is the mtu size for a standard
Ethernet frame.
BL
--
Women will never be equal to men until they can walk down the street with a
bald head and a beer gut, and still think they are sexy. |
|
| Back to top |
|
|
John Rennie
Guest
|
| Posted: Sun Apr 23, 2006 12:07 pm Post subject: Re: Setting the MTU |
|
|
Great, thanks :-)
Just so I'm sure, is this the correct change to my config? I already have a
routing policy to stop traffic through the VPN being NATed, so presumably I
can just add the "set ip df 0" line to this policy.
----8<----
! Use a policy map to prevent NAT through the VPN by routing the VPN
! traffic through the loopback adapter
!
route-map nonat permit 10
set ip df 0 <---- new line
match ip address 129
set ip next-hop 1.1.1.2
!
no access-list 129
access-list 129 remark Route VPN traffic through the loopback adapter
access-list 129 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 129 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255
!
----8<----
John Rennie
On 22 Apr 2006 11:05:39 -0700, "James Schnack" <acrux14@hotmail.com> wrote:
| Quote: | Enjoy it... ;-)
http://www.cisco.com/warp/public/105/pmtud_ipfrag.html
Keep in mind that the TCP MSS fix will only apply to TCP traffic, so if
you're having issues with non-TCP services then that won't make it.
The "clear-DF-bit" fix presented on the above doc will affect all IP
traffic, though.
I work daily with VPNs and I've seen these work, so go ahead and try
them. Be aware that this is a workaround and that the correct way of
solving this would be getting your service providers to allow PMTUD
over their networks (IIRC, usual reason for this not working was
incorrect blocking of certain ICMP types). But since that is usually a
herculean task... many end up applying these fixes, which do degrade
performance (although degradation may not be significant, depending on
the situation).
HTH,
James |
|
|
| Back to top |
|
|
|
|
