Got it

Traffic slow down after enable IPsec on DSVPN

Created: Nov 15, 2017 03:26:58Latest reply: Mar 22, 2018 14:40:15 2172 3 0 0 0
  Rewarded HiCoins: 1 (problem resolved)
This post was last edited by user_2938205 at 2017-11-15 03:26. Hi All


We are testing a DSVPN setup between the HQ and Branches. Everything is all right (Hub LAN PC able to communicate with Spoke LAN PC), until we implemented the IPsec profile into the tunnel. With the IPsec profile enabled, we manage to ping spoke loopback, and LAN IP address but not the PC behind the LAN. We have at least 50% of drop packets when we trying to ping the PC from Hub to Spoke. 

Someone told me to adjust the MTU and MSS to overcome this issue, however i have done few changes to the tunnel MTU and MSS, but the result is still the same. 

Wondering do you have the same problem like me and would like to seek your help to resolve this issue. Thanks. 

Below is my sample of the configuration for Hub and Spoke.

Hub
#  
acl name GigabitEthernet0/0/8 2999  
 rule 5 permit 
#
ipsec proposal pro1
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-192
#
ike proposal 1
 encryption-algorithm aes-cbc-256
 dh group5
 authentication-algorithm aes-xcbc-mac-96
 prf aes-xcbc-128
#
ike peer hub v2
 pre-shared-key cipher %^%#k0:nkuol:Z~x*%wh4rdQwDJ%f'8Q5<]_nHSBewEB%^%#
 ike-proposal 1
 dpd type periodic
 dpd idle-time 40
#                                         
ipsec profile profile1
 ike-peer hub
 proposal pro1
#
sa
#
#
interface Vlanif1
 ip address 192.168.50.251 255.255.255.0
#
interface GigabitEthernet0/0/0
 description LAN Connection
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
 description Router to Peplink
#                                         
interface GigabitEthernet0/0/8
 description WAN Connection
 ip address 1.1.1.2 255.255.255.248
 tcp adjust-mss 1200
 nat outbound 2999 
#
interface GigabitEthernet0/0/9
 ip address 192.168.168.168 255.255.255.0
#
interface GigabitEthernet0/0/10
 description VirtualPort
#
interface Cellular0/0/0
#
interface Cellular0/0/1
#
interface NULL0
#
interface LoopBack0
 ip address 10.168.50.1 255.255.255.0
#
interface Tunnel0/0/8
 mtu 1400
 tcp adjust-mss 1360
 ip address 172.16.16.1 255.255.255.0
 tunnel-protocol gre p2mp
 source GigabitEthernet0/0/8              
 gre key cipher %^%#DML0>CId3L_`uI*$I+|GQ=Px~9Z9u)zv;EX8"`+F%^0#
 ospf network-type broadcast
 ospf dr-priority 100
 ipsec profile profile1
 nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.16.1
 area 0.0.0.1
  network 10.168.50.0 0.0.0.255
  network 172.16.16.0 0.0.0.255
  network 192.168.50.0 0.0.0.255
#
 info-center timestamp log format-date
#
 snmp-agent local-engineid 80000JHB0338CC6K60184E
#
 stelnet server enable 
 ssh server port 22338
#
 http secure-server port 43388
 http secure-server ssl-policy default_policy
 http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/8 1.1.1.1
#                                         
user-interface con 0
 authentication-mode aaa
user-interface vty 0
 acl 2998 inbound
 authentication-mode aaa
 user privilege level 15
user-interface vty 1 4
 acl 2998 inbound
 authentication-mode aaa
#
wlan ac
#
 ntp-service unicast-server 129.250.35.251
#
voice 
 #
 diagnose
#
ops
#
autostart
#

Spoke
#
acl name GigabitEthernet0/0/4.1 2998  
 rule 5 permit                            
#
ipsec proposal pro1
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-192
#
ike proposal 1
 encryption-algorithm aes-cbc-256
 dh group5
 authentication-algorithm aes-xcbc-mac-96
 prf aes-xcbc-128
#
ike peer spoke1 v2
 pre-shared-key cipher %^%#3vJFDv*x7k^&1.:_d/4>TxSK7*cASF~`g%MkF6->)^%#
 ike-proposal 1
 dpd type periodic
 dpd idle-time 40
#
ipsec profile profile1
 ike-peer spoke1
 proposal pro1
#
#
interface Dialer1
 link-protocol ppp
 ppp chap user huaweirouter@domain
 ppp chap password cipher %^%#W%-lRX.e8C{#b93]@N+U@'vKjss=)uA0Hndd<Y>W}Q%^%#
 ppp pap local-user huaweirouter@domain password cipher %^%#`7ZBVO>p:loqhY#N|SAv(bRqk(js<%msvddd5bc,JrAhO%^%#
 ppp ipcp dns admit-any
 ppp ipcp dns request
 mtu 1492
 tcp adjust-mss 1200
 ip address ppp-negotiate
 dialer user arweb
 dialer bundle 1                          
 dialer-group 2
 nat outbound 2998 
#
interface Vlanif1
 ip address 192.168.200.1 255.255.255.0
 dhcp select interface
 dhcp server excluded-ip-address 192.168.200.2 192.168.200.99 
 dhcp server excluded-ip-address 192.168.200.160 192.168.200.254 
 dhcp server dns-list 208.67.222.222 8.8.8.8 
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/4.1
 pppoe-client dial-bundle-number 1 
 dot1q termination vid 500
#                                         
interface GigabitEthernet0/0/5
 description VirtualPort
#
interface Cellular0/0/0
#
interface NULL0
#
interface LoopBack0
 ip address 10.168.200.1 255.255.255.0
#
interface Tunnel0/0/4
 mtu 1400
 tcp adjust-mss 1360
 ip address 172.16.16.2 255.255.255.0
 tunnel-protocol gre p2mp
 source Dialer1
 gre key cipher %^%#ti$w4*IBZIF/Qg9jCb;K<IuklB&323N+X:Dy@UV3L0A%^%#
 ospf network-type broadcast
 ospf dr-priority 0
 ipsec profile profile1
 nhrp entry 172.16.16.1 1.1.1.1 register
#
dialer-rule
 dialer-rule 1 ip permit
 dialer-rule 2 ip permit
#
ospf 1 router-id 172.16.16.2              
 area 0.0.0.1
  network 10.168.200.0 0.0.0.255
  network 172.16.16.0 0.0.0.255
  network 192.168.200.0 0.0.0.255
#
 info-center timestamp log format-date
#
 snmp-agent local-engineid 800007DB032C55D3C3DA29
#
 stelnet server enable 
 ssh server port 22338
#
 http secure-server port 44388
 http secure-server ssl-policy default_policy
 http server enable
 http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
fib regularly-refresh disable
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0                      
 authentication-mode aaa
 user privilege level 15
user-interface vty 1 4
 authentication-mode aaa
#
wlan ac
#
 ntp-service unicast-server 129.250.35.251
#
voice 
 #
 diagnose
#
ops
#
autostart
#
 
  • x
  • convention:

Featured Answers
StarOfWest
Created Mar 22, 2018 14:40:15

May we know what was the root-cause?
View more
  • x
  • convention:

All Answers
WoodWood
WoodWood Created Nov 15, 2017 09:55:45

waiting for help
View more
  • x
  • convention:

AdamLooi
AdamLooi Created Nov 20, 2017 02:23:39

End up I resolved the issue myself.
View more
  • x
  • convention:

StarOfWest
StarOfWest Created Mar 22, 2018 14:40:15

May we know what was the root-cause?
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.