GRE/IPSEC tunnel: some protocols don't work!

Hi, I have just created a GRE/IPSEC tunnel between two routers and ping/ospf/ssh protocols work well but, if I try to copy a file by SCP or some other activity, it doesn't work at all, 0 byte transferred!!!

Some idea?

Thanks Mimmus

Reply to
Mimmus
Loading thread data ...

Since you say SSH works i would suspect that the SCP server log contains the answer to your question (the machine you are sending to). Id perhaps snarf some packets both before and after the tunnel to test. BTW why arent you using sFTP?

Reply to
QoS

If ping works end to end then I'd suspect an MTU issue.

Try "ip tcp adjust-mss " in interface configuration mode on your tunnel interface to cause the endpoints to negotiate a maximum segment size that is short enough to fit through the tunnel.

Reply to
briggs

That was my first thought as well - is this a DSL connection? Take a look at path mtu discovery.

Reply to
Scooby

I suspect a MTU size too. I have:

interface Tunnel1 ip mtu 1420 tunnel path-mtu-discovery ...

Do I need both?

Thanks Mimmus

Reply to
Mimmus

As already mentiond you want ip tcp adjust-mss 1300

Now there may be a few 1300 is too small (you can use 1301, 1338, 1317 ...) messages, but I don't care. It's not in my opinion worth worrying about.

Perhaps you should also not be using ip mtu 1420 but you have not explained what you are doing exactly. I use GRE over IPSEC over the internet quite a bit and I have never changed the tunnel mtu size from default. This will be

1500 - IP header - GRE header.

Maybe I need to look into this?

I do always do the ip tcp mss thing and since pretty much all interesting traffic is TCP we are taken care of.

I suppose that setting the correct GRE mtu would help with end station path mtu discovery.

Reply to
Bod43

This setting was suggested by Cisco Secure Device Manager (SDM), the new web interface to configure Cisco routers!

Mimmus

Reply to
Mimmus

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.