VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine.

We set up a L2 Tunnel bertween to ADSL users.

At first nothing worked until we discovered the overhead of the L2 Tunnel
(40 bytes) and adjusted MTU's to compensate and all seemed good.

Then we added a VPN between these 2 users and things started to break again.

i.e PIng works down the VPN and varoious other things but terminal services
and Outlook trying to collect mail from the other end point does not.

It seems that the VPN again plays havoc with the MTU or packet
fragmentation.

Config below fixed the initial issues.

username NET-TEST-L2TP password 7 08
username NET-TEST2-L2TP password 7 04

vpdn enable
vpdn multihop
vpdn search-order domain
vpdn domain-delimiter @ suffix
!
vpdn-group NET-TEST-L2TP
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname NET-TEST-L2TP
source-ip 82.151.255.5
local name NET-TEST-L2TP
lcp renegotiation always
l2tp tunnel password 7 151

#Added these 2 lines to fix initial issues.
ip pmtu
ip mtu adjust
!
vpdn-group NET-TEST2-L2TP
accept-dialin
protocol l2tp
virtual-template 2
terminate-from hostname NET-TEST2-L2TP
source-ip x.x.x.x
local name NET-TEST2-L2TP
lcp renegotiation always
l2tp tunnel password 7 01

#Added these 2 lines to fix initial issues.
ip pmtu
ip mtu adjust


interface Virtual-Template1
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp

#Added this line as part fo the fix
ip tcp adjust-mss 1400
ip policy route-map clear-df
no logging event link-status
peer default ip address pool SPPOOL
keepalive 60
ppp authentication chap
ppp multilink
ppp multilink fragment disable
!
interface Virtual-Template2
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp

#Added this line as part fo the fix
ip tcp adjust-mss 1400
ip policy route-map clear-df
no logging event link-status
peer default ip address pool SPPOOL
keepalive 60
ppp authentication chap
ppp multilink
ppp multilink fragment disable


#Added this line as part of the fix
access-list 111 permit tcp any any
!
route-map clear-df permit 10
match ip address 111
set ip df 0


VPN's have the same types off issues as normal traffic prior to the added
lines above.

How do I get the VPN to compensate or am I way off???

Help please.
Gary

 

:We set up a L2 Tunnel bertween to ADSL users.

:At first nothing worked until we discovered the overhead of the L2 Tunnel
40 bytes) and adjusted MTU's to compensate and all seemed good.

:Then we added a VPN between these 2 users and things started to break again.

Read the documentation on the tcpmss sysopt, see the calculation
there, remove from the equation the AH layer if you aren't using
AH, subtract off the L2 tunnel overhead; also subtract off
the size of an IP header with options if you are using NAT-T
[to take into account UDP encapsulation.]

If you want a more exact number, temporarily disable the
tcpmss sysopt and enable PMTUD (Path MTU Discovery) between
two of the endpoints, and monitor to see what MTU they end up with.

 

I think those are PIX commands.

The end points are routers i.e One cisco router and one cheap and cheerful
whatever ADSL router at the other end.

We own the router in the middle which handles the VPDN or L2 Tunnel to the
ADSL provider so they are invisible in the ADSL link.

It looks like this

1 End User on whatever router connects via ADSL to the ADSL Central PIPE of
our ADSL provider. We connect over VPDN to them so we hand out our own
address space.

The other ADSL end point is a Cisco router and there are many connections
coming in from remote offices to this Cisco router which handles all the
VPN's.

When not using a VPN between end users all is OK.

What commands should I read about on the routers as opposed to the PIX
please.

Gary