Wade-
Where are you changing the MTU? ...I just went through this with different
hardware, it turned out we needed to change the MTU of the hosts that would
be using the VPN.
If Packet = x bytes
Local LAN Packet: x
VPN Packet: x + vpn header
In our case, any value of x < 1410, yielded fragmented packets through the
VPN.
<snip from another article>
"...Unfortunately, the length of header+pad seems to depend on the data
being encrypted, as well as the crypto algorithm. Perhaps a good rough
figure is just to adjust down by 40 bytes (outer IP + 20 bytes of ESP
header/pad)."
~Todd
-----Original Message-----
From: Wade Burgett [mailto:wadeb_at_burgettsys.com]
Sent: Friday, September 05, 2003 4:05 PM
To: firewall-wizards_at_honor.icsalabs.com
Subject: [fw-wiz] CISCO VPN Concentrator and setting MTU per VPN
Connection
I'm working one end of a VPN performance problem that seems to be MTU
and fragmentation related. My end is a CISCO Hardware VPN 3002 client.
The other end is a CISCO VPN Concentrator.
I recommended lowering the MTU setting on both ends and then testing.
But the admin on the VPN Concentrator end just told me it is impossible
to change the MTU for a paritcular tunnel, that you can only change the
MTU for all the tunnels, and there are several other remote sites.
Is this true? Is there any way around this?
Thanks
Wade
--
Wade Burgett
wadeb_at_burgettsys.com
(512)-796-7070
(503)-756-5633
Burgett Systems
http://www.burgettsys.com
ELIMINATE EMAIL VIRUSES - Use Linux
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 08 2003
Intro
