I've been getting odd problems with a VPN between two 837 routers and it's been suggested this is due to fragmentation and that I should decrease the MTU for the tunnel to 1360.
Can anyone tell me how to modify the config to do this? I believe it's the "ip tcp adjust" and "ip tcp adjust-mss" but I don't know how and where to use them. The examples I've found on the web all look much more complicated than my config.
Thanks,
John Rennie
---------
no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! logging buffered 4096 enable secret ! username admin password no aaa new-model ip subnet-zero ! ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 !ip audit notify log !ip audit po max-events 100 !no ftp-server write-enable ! ! PPTP dialins ! ============ ! vpdn enable ! vpdn-group pptp ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 exit exit ! interface Virtual-Template1 ip unnumbered Ethernet0 peer default ip address pool default ppp encrypt mppe auto ppp authentication ms-chap ! ip local pool default 192.168.128.224 192.168.128.239 ! ! VPNs ! ==== ! crypto isakmp policy 1 encryption des hash sha authentication pre-share group 1 ! crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac ! ! Connection to head office crypto map cm-cryptomap 1 ipsec-isakmp set peer 111.111.111.111 set transform-set tr-des-sha match address 120 crypto isakmp key address 111.111.111.111 ! no access-list 120 access-list 120 remark Site to Site VPN to head office access-list 120 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255 access-list 120 deny ip 192.168.128.0 0.0.0.255 any ! ! Connection to branch office crypto map cm-cryptomap 2 ipsec-isakmp set peer 222.222.222.222 set transform-set tr-des-sha match address 121 crypto isakmp key address 222.222.222.222 ! no access-list 121 access-list 121 remark Site to Site VPN to branch office access-list 121 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255 access-list 121 deny ip 192.168.128.0 0.0.0.255 any ! ! Use a policy map to prevent NAT through the VPN by routing the VPN ! traffic through the loopback adapter ! route-map nonat permit 10 match ip address 129 set ip next-hop 1.1.1.2 ! no access-list 129 access-list 129 remark Route VPN traffic through the loopback adapter access-list 129 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255 access-list 129 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255 ! ! Interfaces ! ========== ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface Ethernet0 ip address 192.168.128.254 255.255.255.0 ip nat inside ip route-cache policy ip policy route-map nonat no ip mroute-cache hold-queue 100 out ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface Dialer1 ip address negotiated ip access-group 111 in ip nat outside ip inspect myfw out encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ppp chap password ppp pap sent-username password crypto map cm-cryptomap no ip route-cache no ip mroute-cache hold-queue 224 in ! ! NAT ! === ! ip nat inside source list 102 interface Dialer1 overload ip nat inside source static 192.168.128.1 333.333.333.18 ip nat inside source static 192.168.128.16 333.333.333.19 ip nat inside source static 192.168.128.128 333.333.333.22 ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ! Access lists ! ============ ! no access-list 23 access-list 23 remark Allowed to manage the router access-list 23 permit 192.168.128.0 0.0.0.255 ! no access-list 102 access-list 102 remark Addresses to NAT behind router access-list 102 deny ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255 access-list 102 deny ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255 access-list 102 permit ip 192.168.128.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any ! no access-list 111 access-list 111 remark Incoming access from the Internet ! ping access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable ! VPN access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit tcp any any eq 1723 access-list 111 permit gre any any ! Servers access-list 111 permit tcp any host 333.333.333.18 eq 21 access-list 111 permit tcp any host 333.333.333.18 eq 25 access-list 111 permit tcp any host 333.333.333.18 eq 53 access-list 111 permit udp any host 333.333.333.18 eq 53 access-list 111 permit tcp any host 333.333.333.18 eq 80 access-list 111 permit tcp any host 333.333.333.18 eq 110 access-list 111 permit tcp any host 333.333.333.18 eq 443 ! Allow file sharing access access-list 111 permit udp any host 333.333.333.19 eq 6257 access-list 111 permit tcp any host 333.333.333.19 eq 6699 access-list 111 permit tcp any host 333.333.333.19 eq 5042 access-list 111 permit udp any host 333.333.333.19 eq 5042 access-list 111 permit tcp any host 333.333.333.19 eq 6346 ! Allow incoming NTP access-list 111 permit udp any any eq 123 ! Allow VPN traffic access-list 111 permit ip 172.31.255.0 0.0.0.255 192.168.128.0 0.0.0.255 access-list 111 permit ip 192.168.129.0 0.0.0.255 192.168.128.0 0.0.0.255 ! Deny the rest access-list 111 deny ip any any log ! dialer-list 1 protocol ip permit ! ! SNMP ! ==== snmp-server community public ro ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 ! banner motd | Rattus Hacking Software
You require authorisation to connect to this device. If you are not authorised to connect to this device please disconnect now.
| ! end