I'm not quite sure exactly what boxes form the IPSec relationship. Are you saying (a) the Netopia talks directly to the 3015 or (b) PCs (who would have VPN Client software) on the LAN side of the Netopia are talking to the 3015? When installing the VPN Client you are prompted to change the MTU size I believe to 1460. Make sure that the Netopia isn't blocking your traffic. Try this: http://www.cisco.com/warp/public/471/vpn_3000_faq.shtml#Q3
You might want the entire FAQ section. Just leave off the #Q3 of the above URL. One level higher - watch the wrap: http://www.cisco.com/warp/public/471/top_issues/vpn/vpn_index.shtml > -----Original Message----- > From: David Armstrong [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 21, 2002 12:31 PM > To: [EMAIL PROTECTED] > Subject: Re: 3015 VPN Concentrator & MTU's [7:39010] > > > Unfortunately the Netopia's MTU size can't be changed so nothing is an > option. I'm interested in your thought on which side needs > changing though. > Packets larger than (somewhere around) 1400 bits can't > traverse the Netoia > R9100 but can traverse the 3015 VPN Concentrator. To me that > would seem to > mean that the size of the packets sent from the 3015 to the > Netopia are too > large for the Netopia. Increasing the Netopia's MTU would > allow it to see > larger frames and therefore not fragment them as they come > across. Since I'm > able to sit on the Netopia and send packets across the 3015 > into our network > but am unable to send them from inside the Netopia's network > across to the > 3015 it seems that the problem is stemming from too small MTU > size on the > Netopia (packet comes to the inside interface of the Netopia R9100, is > encapsulated and framed with an IPSec header added to the frame for > encryption then sent to the outside interface of the Netopia. > The outside > interface fragments frames greater than 1500 bits and thus > sends fragments > out the DSL modem into the Internet - I think). > > I could be thinking in the wrong direction though and if I am > would like to > get thinking in the right. Currently it doesn't appear that I > can decrease > or increase MTU size on either device which leaves me thinking that my > options are two: get a router to replace the Netopia that > allows changes to > MTU or change the settings for IPSec to decerase the size of > the header it > adds to the packet when the frame is created. I'm focusing on > the second > now. I need to get a better understanding of the components > of IPSec first > though. > > Thanks for you input, > > David Armstrong > > > ""Daniel Cotts"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Seems that you need to decrease the MTU on the client (Netopia) side > rather > > than increase it. > > > > > -----Original Message----- > > > From: David Armstrong [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 11:17 PM > > > To: [EMAIL PROTECTED] > > > Subject: 3015 VPN Concentrator & MTU's [7:39010] > > > > > > > > > We have a 3015 VPN concentrator that I've connected to a > > > vendor who has a > > > Netopia R9100 router with a DSL (PPOE) connection to the > Internet. The > > > tunnel is fine but anything larger than ICMP dies. From > > > talking to Netopia's > > > tech support the problem is that the Netoia R9100 with PPOE > > > supports MTU's > > > of 1500 bits and can't be increased. I've sent pings > with larger data > > > packets and, sure enough, they died too. Given the vendor's > > > equipment the > > > solution appears to be to decrease MTU size on the 3015; > > > however, I can't > > > find a way to do this. > > > > > > Does anyone have any suggestions? > > > > > > Thanks, > > > > > > David Armstrong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39108&t=39010 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
