[VPN] IPSEC over load-shared T1s (per packet) (NxT1 and MLP)
TSimons at Delphi-Tech.com
TSimons at Delphi-Tech.com
Wed Sep 24 08:45:19 EDT 2003
Hello All
Just a status....
-The problem was ESP packets coming in out of sequence
-A guru member of the mailing list [FW-WIZ] said I should try to strong arm
the vendor into fixing this by recognizing and reordering the ESP packets,
but I didn't get far.
-Cisco recommended Multilink PPP, which aggregates the 2 T1s into one 3mbit
virtual interface, our ISP welcomed this change -and we put it through.
I'll be testing and monitoring today.
Links on Cisco's Site:
-Alternatives for High Bandwidth Connections Using Parallel T1/E1 Links
http://www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.pdf
-Bundling NxT1 Links With a Multilink Interface
http://www.cisco.com/warp/public/793/access_dial/ppp_11044.pdf
Changes to our Cisco Router:
1.) Create INT MULTILINK 1 (virtual interface)
interface Multilink1
ip address ?.?.?.? 255.255.255.252
ip verify unicast source reachable-via any allow-self-ping 108
no ip directed-broadcast
no ip route-cache cef
no ip route-cache
load-interval 30
no cdp enable
ppp multilink
no ppp multilink fragmentation
multilink load-threshold 1 either
multilink-group 1
2.) Strip back IP addresses from member Serial Interfaces and add the
following to each Interface:
encap ppp
no ip route-cache distributed
ip unnumbered Multilink1
ppp multilink
multilink-group 1
To view the status of the new multi1 interface use "sh ppp multilink":
SL-Gateway#sh ppp multilink
Multilink1, bundle name is [remote router name]
Bundle up for 10:57:52
1 lost fragments, 16609 reordered, 0 unassigned
0 discarded, 0 lost received, 6/255 load
0x828E9 received sequence, 0x61758 sent sequence
Member links: 2 active, 0 inactive (max not set, min not set)
Serial0/0, since 10:57:52, last rcvd seq 0828E5
Serial0/1, since 10:57:50, last rcvd seq 0828E8
SL-Gateway#
Hope this helps!!
~Todd
-----Original Message-----
From: TSimons at Delphi-Tech.com [mailto:TSimons at Delphi-Tech.com]
Sent: Thursday, September 18, 2003 9:08 AM
To: vpn at lists.shmoo.com
Subject: [VPN] IPSEC over load-shared T1s (per packet)
Hello All
Recently we doubled our internet bandwith to two T1s from the same provider
that terminate on in the same router on the NOC side.
We setup IP LOAD-SHARING PER-PACKET on each of the serial links on both
sides (NOC and Us) in order to get an aggregate 3.0mbit. PER-PACKET routing
alternates usage of the T1s, one for one...
Since then, VPN performance has taken a dive. Sniffing out traffic, ESP
packets are sent 3-4 times before they can be properly decrypted.
Someone along the way said that using PER-PACKET routing changes the CRC
value of the packets. Is this correct, has anyone else seen this issue? I
can't see how the CRC is changed, the hop count isn't changing, the lines
are identical, and they terminate in the same router, so the last hop is the
F0/0 interface of the router before getting to the firewall.
Thanks,
~Todd
__________________________________
Todd M. Simons
Senior MIS Engineer
Dell Tier 1 PA Technician
Delphi Technology, Inc.
New Brunswick, NJ
Note: The contents of this email do not constitute a legally binding
commitment.
_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
More information about the VPN
mailing list