Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Config Help/IPSEC VPN

Status
Not open for further replies.

Solarlight1

IS-IT--Management
Jan 11, 2015
3
GB
Good Evening, and thank you in advance for any help given.

Lan 1 - 192.168.0.0/24
Lan 2 - 192.168.100.0/24 (also has 192.168.101.0, 192.168.102.0, 192.168.103.0,192.168.104.0 and 192.168.108.0 all /24)
Lan 3 - 192.168.1.0/24

Lan 2 and 3 link to Lan 1 Via IPSEC

I have a 80Mb FTTC connection connected to a Cisco 887VA VDSL over POTS

I am generally happy with my internet speed which regularly peeks at approx. 25mb down and 17mb up although Im sure with some tweaks I could get more. However VPN performance is incredible poor.

Lan 2 has a 100mb Fibre connection and can get a internet speed of approx. 97mb
Lan 3 has a 20mb WiFi connection to some WISP and can generally get 20mb both directions

However Lan 2 using Wireshark seems to send a lot of retransmissions and out of sequence packets which cause issues
Lan 3 only ever really gets 500kb over the VPN.

Below is my sanitised configuration from the Cisco 887Va on Lan 1

Would anyone mind casting their eyes over it and tell me if I can improve the config or if im missing config which would help with speed issues/Retransmissions. Im sure there is a MTU/MSS issue somewhere between Lan 1 and Lan 2

Thank you for any help

Regards
Mark

--------------------

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname DC_BARTON_ROUTER
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
clock timezone bst 0 0
clock summer-time bst recurring
!
!
!
!
!
!
!
no ip domain lookup
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw pptp
ip inspect name FTP ftp
ip cef
no ipv6 cef
!
!
!
!

!
!
!
!
!
controller VDSL 0
!
ip tcp mss 1400
!
crypto logging session
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp key XXXXXXXXX address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set XXXXXXXXXXX esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set XXXXXXXXXXX esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set XXXXXXXXXXX esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set XXXXXXXXXXX esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
!
!
!
crypto map LAKEMEWS 10 ipsec-isakmp
description Link to XXXXXXXXXX
set peer XXX.XXX.XXX.XXX
set transform-set XXXXXXXX
match address VPN-TRAFFIC-NB
crypto map LAKEMEWS 20 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set ts_XXXXXX
match address VPN-TRAFFIC-DHICK
!
!
!
!

!
interface Ethernet0
description Connection to BT Infinity (VDSL 0)
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1
no ip address
!
interface Vlan1
ip address 192.168.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Dialer1
description VDSL
ip address negotiated
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip nat enable
ip inspect myfw out
ip virtual-reassembly in
encapsulation ppp
ip route-cache policy
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer idle-timeout 0
dialer-group 1
keepalive 30
ppp authentication pap callin
ppp chap hostname XXXXXXXXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXX password 0 XXXXXXXXXX
ppp ipcp dns request accept
ppp ipcp wins request
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map LAKEMEWS
hold-queue 224 in
!
ip forward-protocol nd
no ip http server
ip http port 45678
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http secure-port 8080
!
ip nat inside source static udp 192.168.0.4 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.4 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.4 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.4 20 interface Dialer1 20
ip nat inside source static tcp 192.168.0.4 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.2 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.110 80 interface Dialer1 2000
ip nat inside source static udp 192.168.0.2 5500 interface Dialer1 5500
ip nat inside source static tcp 192.168.0.5 5060 interface Dialer1 5060
ip nat inside source static udp 192.168.0.5 5060 interface Dialer1 5060
ip nat inside source static udp 192.168.0.5 5004 interface Dialer1 5004
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.0.5 80 81.149.179.253 80 route-map nonat extendable
ip nat inside source static tcp 192.168.0.5 8081 81.149.179.253 8081 route-map nonat extendable
ip nat inside source static udp 192.168.0.5 8081 81.149.179.253 8081 route-map nonat extendable
ip nat inside source static tcp 192.168.0.4 9000 81.149.179.253 9000 route-map nonat extendable
!
ip access-list extended VPN-TRAFFIC-DHICK
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended VPN-TRAFFIC-NB
permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.102.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.103.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.104.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.108.0 0.0.0.255
permit udp 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit igmp 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit icmp 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit icmp any any unreachable
permit icmp any any time-exceeded
!
access-list 1 permit any
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
route-map nonat permit 10
match ip address 100
!
!
!
line con 0
no modem enable
line aux 0
logging synchronous
line vty 0 4
login local
transport input all
line vty 5 15
login local
transport input all
!
scheduler max-task-time 5000
ntp master 10
ntp server 64.4.10.33 prefer
ntp server 213.120.234.70
ntp server 65.55.56.206
!
end

 
with re-transmits and ipsec I'd start with playing around and lowering the mtu .. on the tunnel ..

also crypto maps are soooo 1990s.. move to encrypted tunnels .. makes life easier..


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Hi imbadatthis,

Thank you for your response.

2 questions if you don't mind.

1. How do I change the MTU on the tunnel.
2. How do I setup a tunnel with an ASA 5505 at the other end
 
It would appear the Cisco ASA5505 does not support VTI's therefore using the 1990's method is all I have to work with
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top