[VPN] IPSEC over load-shared T1s (per packet) (NxT1 and MLP)
TSimons at Delphi-Tech.com
TSimons at Delphi-Tech.com
Wed Sep 24 08:45:19 EDT 2003
Just a status....
-The problem was ESP packets coming in out of sequence
-A guru member of the mailing list [FW-WIZ] said I should try to strong arm
the vendor into fixing this by recognizing and reordering the ESP packets,
but I didn't get far.
-Cisco recommended Multilink PPP, which aggregates the 2 T1s into one 3mbit
virtual interface, our ISP welcomed this change -and we put it through.
I'll be testing and monitoring today.
Links on Cisco's Site:
-Alternatives for High Bandwidth Connections Using Parallel T1/E1 Links
-Bundling NxT1 Links With a Multilink Interface
Changes to our Cisco Router:
1.) Create INT MULTILINK 1 (virtual interface)
ip address ?.?.?.? 255.255.255.252
ip verify unicast source reachable-via any allow-self-ping 108
no ip directed-broadcast
no ip route-cache cef
no ip route-cache
no cdp enable
no ppp multilink fragmentation
multilink load-threshold 1 either
2.) Strip back IP addresses from member Serial Interfaces and add the
following to each Interface:
no ip route-cache distributed
ip unnumbered Multilink1
To view the status of the new multi1 interface use "sh ppp multilink":
SL-Gateway#sh ppp multilink
Multilink1, bundle name is [remote router name]
Bundle up for 10:57:52
1 lost fragments, 16609 reordered, 0 unassigned
0 discarded, 0 lost received, 6/255 load
0x828E9 received sequence, 0x61758 sent sequence
Member links: 2 active, 0 inactive (max not set, min not set)
Serial0/0, since 10:57:52, last rcvd seq 0828E5
Serial0/1, since 10:57:50, last rcvd seq 0828E8
Hope this helps!!
From: TSimons at Delphi-Tech.com [mailto:TSimons at Delphi-Tech.com]
Sent: Thursday, September 18, 2003 9:08 AM
To: vpn at lists.shmoo.com
Subject: [VPN] IPSEC over load-shared T1s (per packet)
Recently we doubled our internet bandwith to two T1s from the same provider
that terminate on in the same router on the NOC side.
We setup IP LOAD-SHARING PER-PACKET on each of the serial links on both
sides (NOC and Us) in order to get an aggregate 3.0mbit. PER-PACKET routing
alternates usage of the T1s, one for one...
Since then, VPN performance has taken a dive. Sniffing out traffic, ESP
packets are sent 3-4 times before they can be properly decrypted.
Someone along the way said that using PER-PACKET routing changes the CRC
value of the packets. Is this correct, has anyone else seen this issue? I
can't see how the CRC is changed, the hop count isn't changing, the lines
are identical, and they terminate in the same router, so the last hop is the
F0/0 interface of the router before getting to the firewall.
Todd M. Simons
Senior MIS Engineer
Dell Tier 1 PA Technician
Delphi Technology, Inc.
New Brunswick, NJ
Note: The contents of this email do not constitute a legally binding
VPN mailing list
VPN at lists.shmoo.com
More information about the VPN