1. Home
  2. Cisco Systems
  3. VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine.

VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine.

We set up a L2 Tunnel bertween to ADSL users.

At first nothing worked until we discovered the overhead of the L2 Tunnel (40 bytes) and adjusted MTU's to compensate and all seemed good.

Then we added a VPN between these 2 users and things started to break again.

i.e PIng works down the VPN and varoious other things but terminal services and Outlook trying to collect mail from the other end point does not.

It seems that the VPN again plays havoc with the MTU or packet fragmentation.

Config below fixed the initial issues.

username NET-TEST-L2TP password 7 08 username NET-TEST2-L2TP password 7 04

vpdn enable vpdn multihop vpdn search-order domain vpdn domain-delimiter @ suffix ! vpdn-group NET-TEST-L2TP accept-dialin protocol l2tp virtual-template 1 terminate-from hostname NET-TEST-L2TP source-ip 82.151.255.5 local name NET-TEST-L2TP lcp renegotiation always l2tp tunnel password 7 151

#Added these 2 lines to fix initial issues. ip pmtu ip mtu adjust ! vpdn-group NET-TEST2-L2TP accept-dialin protocol l2tp virtual-template 2 terminate-from hostname NET-TEST2-L2TP source-ip x.x.x.x local name NET-TEST2-L2TP lcp renegotiation always l2tp tunnel password 7 01

#Added these 2 lines to fix initial issues. ip pmtu ip mtu adjust

interface Virtual-Template1 ip unnumbered Loopback0 no ip redirects no ip proxy-arp

#Added this line as part fo the fix ip tcp adjust-mss 1400 ip policy route-map clear-df no logging event link-status peer default ip address pool SPPOOL keepalive 60 ppp authentication chap ppp multilink ppp multilink fragment disable ! interface Virtual-Template2 ip unnumbered Loopback0 no ip redirects no ip proxy-arp

#Added this line as part fo the fix ip tcp adjust-mss 1400 ip policy route-map clear-df no logging event link-status peer default ip address pool SPPOOL keepalive 60 ppp authentication chap ppp multilink ppp multilink fragment disable

#Added this line as part of the fix access-list 111 permit tcp any any ! route-map clear-df permit 10 match ip address 111 set ip df 0

VPN's have the same types off issues as normal traffic prior to the added lines above.

How do I get the VPN to compensate or am I way off???

Help please. Gary

Reply to
Gary
Loading thread data ...

In article , Gary wrote: :We set up a L2 Tunnel bertween to ADSL users.

:At first nothing worked until we discovered the overhead of the L2 Tunnel :(40 bytes) and adjusted MTU's to compensate and all seemed good.

:Then we added a VPN between these 2 users and things started to break again.

Read the documentation on the tcpmss sysopt, see the calculation there, remove from the equation the AH layer if you aren't using AH, subtract off the L2 tunnel overhead; also subtract off the size of an IP header with options if you are using NAT-T [to take into account UDP encapsulation.]

If you want a more exact number, temporarily disable the tcpmss sysopt and enable PMTUD (Path MTU Discovery) between two of the endpoints, and monitor to see what MTU they end up with.

Reply to
Walter Roberson

I think those are PIX commands.

The end points are routers i.e One cisco router and one cheap and cheerful whatever ADSL router at the other end.

We own the router in the middle which handles the VPDN or L2 Tunnel to the ADSL provider so they are invisible in the ADSL link.

It looks like this

1 End User on whatever router connects via ADSL to the ADSL Central PIPE of our ADSL provider. We connect over VPDN to them so we hand out our own address space.

The other ADSL end point is a Cisco router and there are many connections coming in from remote offices to this Cisco router which handles all the VPN's.

When not using a VPN between end users all is OK.

What commands should I read about on the routers as opposed to the PIX please.

Gary

Reply to
Gary

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.