This post was last edited by user_2938205 at 2017-11-15 03:26.
Hi All
We are testing a DSVPN setup between the HQ and Branches. Everything is all right (Hub LAN PC able to communicate with Spoke LAN PC), until we implemented the IPsec profile into the tunnel. With the IPsec profile enabled, we manage to ping spoke loopback, and LAN IP address but not the PC behind the LAN. We have at least 50% of drop packets when we trying to ping the PC from Hub to Spoke.
Someone told me to adjust the MTU and MSS to overcome this issue, however i have done few changes to the tunnel MTU and MSS, but the result is still the same.
Wondering do you have the same problem like me and would like to seek your help to resolve this issue. Thanks.
Below is my sample of the configuration for Hub and Spoke.
Hub
#
acl name GigabitEthernet0/0/8 2999
rule 5 permit
#
ipsec proposal pro1
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group5
authentication-algorithm aes-xcbc-mac-96
prf aes-xcbc-128
#
ike peer hub v2
pre-shared-key cipher %^%#k0:nkuol:Z~x*%wh4rdQwDJ%f'8Q5<]_nHSBewEB%^%#
ike-proposal 1
dpd type periodic
dpd idle-time 40
#
ipsec profile profile1
ike-peer hub
proposal pro1
#
sa
#
#
interface Vlanif1
ip address 192.168.50.251 255.255.255.0
#
interface GigabitEthernet0/0/0
description LAN Connection
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
description Router to Peplink
#
interface GigabitEthernet0/0/8
description WAN Connection
ip address 1.1.1.2 255.255.255.248
tcp adjust-mss 1200
nat outbound 2999
#
interface GigabitEthernet0/0/9
ip address 192.168.168.168 255.255.255.0
#
interface GigabitEthernet0/0/10
description VirtualPort
#
interface Cellular0/0/0
#
interface Cellular0/0/1
#
interface NULL0
#
interface LoopBack0
ip address 10.168.50.1 255.255.255.0
#
interface Tunnel0/0/8
mtu 1400
tcp adjust-mss 1360
ip address 172.16.16.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/8
gre key cipher %^%#DML0>CId3L_`uI*$I+|GQ=Px~9Z9u)zv;EX8"`+F%^0#
ospf network-type broadcast
ospf dr-priority 100
ipsec profile profile1
nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.16.1
area 0.0.0.1
network 10.168.50.0 0.0.0.255
network 172.16.16.0 0.0.0.255
network 192.168.50.0 0.0.0.255
#
info-center timestamp log format-date
#
snmp-agent local-engineid 80000JHB0338CC6K60184E
#
stelnet server enable
ssh server port 22338
#
http secure-server port 43388
http secure-server ssl-policy default_policy
http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/8 1.1.1.1
#
user-interface con 0
authentication-mode aaa
user-interface vty 0
acl 2998 inbound
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
acl 2998 inbound
authentication-mode aaa
#
wlan ac
#
ntp-service unicast-server 129.250.35.251
#
voice
#
diagnose
#
ops
#
autostart
#
Spoke
#
acl name GigabitEthernet0/0/4.1 2998
rule 5 permit
#
ipsec proposal pro1
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group5
authentication-algorithm aes-xcbc-mac-96
prf aes-xcbc-128
#
ike peer spoke1 v2
pre-shared-key cipher %^%#3vJFDv*x7k^&1.:_d/4>TxSK7*cASF~`g%MkF6->)^%#
ike-proposal 1
dpd type periodic
dpd idle-time 40
#
ipsec profile profile1
ike-peer spoke1
proposal pro1
#
#
interface Dialer1
link-protocol ppp
ppp chap user huaweirouter@domain
ppp chap password cipher %^%#W%-lRX.e8C{#b93]@N+U@'vKjss=)uA0Hndd<Y>W}Q%^%#
ppp pap local-user huaweirouter@domain password cipher %^%#`7ZBVO>p:loqhY#N|SAv(bRqk(js<%msvddd5bc,JrAhO%^%#
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
tcp adjust-mss 1200
ip address ppp-negotiate
dialer user arweb
dialer bundle 1
dialer-group 2
nat outbound 2998
#
interface Vlanif1
ip address 192.168.200.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 192.168.200.2 192.168.200.99
dhcp server excluded-ip-address 192.168.200.160 192.168.200.254
dhcp server dns-list 208.67.222.222 8.8.8.8
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/4.1
pppoe-client dial-bundle-number 1
dot1q termination vid 500
#
interface GigabitEthernet0/0/5
description VirtualPort
#
interface Cellular0/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.168.200.1 255.255.255.0
#
interface Tunnel0/0/4
mtu 1400
tcp adjust-mss 1360
ip address 172.16.16.2 255.255.255.0
tunnel-protocol gre p2mp
source Dialer1
gre key cipher %^%#ti$w4*IBZIF/Qg9jCb;K<IuklB&323N+X:Dy@UV3L0A%^%#
ospf network-type broadcast
ospf dr-priority 0
ipsec profile profile1
nhrp entry 172.16.16.1 1.1.1.1 register
#
dialer-rule
dialer-rule 1 ip permit
dialer-rule 2 ip permit
#
ospf 1 router-id 172.16.16.2
area 0.0.0.1
network 10.168.200.0 0.0.0.255
network 172.16.16.0 0.0.0.255
network 192.168.200.0 0.0.0.255
#
info-center timestamp log format-date
#
snmp-agent local-engineid 800007DB032C55D3C3DA29
#
stelnet server enable
ssh server port 22338
#
http secure-server port 44388
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
fib regularly-refresh disable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
authentication-mode aaa
#
wlan ac
#
ntp-service unicast-server 129.250.35.251
#
voice
#
diagnose
#
ops
#
autostart
#
