Can you run NFS inside of two IPSec tunnels

Posted on 2015-01-06
Last Modified: 2015-01-09
We have two older Cisco routers, running IPSec over Frame Relay in a lab.  We can successfuly run our application using only that tunnel.   Whe we add  ASA's on the outside of those routers, and build a second tunnel, our application fails (it uses NFS, and a quick packet capture shows that may be the issue).

I should also mention the hosts are running Linux IPSec, so this would be a total of three tunnels.

Any help is appreciated.
Question by:jimmycher
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 57

Expert Comment

ID: 40538170
I'm confused on the setup.

This is what I think you have that works:

NFS SERVER <--- Cisco Router --> VPN TUNNEL #1 <--- Cisco Router --> NFS CLIENT

Sort of what does not work.
NFS SERVER <--- Cisco Router -->  <--- ASA --> VPN TUNNEL#2 <--- ASA--> <--- Cisco Router --> NFS CLIENT
                                      |                                                                                                               |
                                      \ ------------------------------->  VPN TUNNEL #1< ----------------------/

Is VPN tunnel #1 going through VPN TUNNEL#2?  Or are the "side by side"?

Author Comment

ID: 40539176
NFS Server >> ASA >> Router >> FrameRelay Cloud >> Router >>  ASA  >>  NFS Client
                                     ||.................. Tunnel # 1  ..................||

                         ||=============== Tunnel # 2 ++++++++++++++++||

  ||,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,  Linux  Tunnel  ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,||
LVL 57

Expert Comment

ID: 40539268
What do you mean by "Linux Tunnel"?

I guess my definition of "outside" is different from yours.  However my question still stands.  Does is Tunnel #2 logically inside tunnel#1.  Meaning, does tunnel#2 traffic flow inside of tunnel#1?  Or does tunnel#2 traffic flow directly over the frame link?
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.


Author Comment

ID: 40539279
The NFS Client and Server are Linux devices, and they have an IPSec Tunnel between the servers, completely independent of the Cisco devices.   That is what I call a Linux Tunnel.  That data is encrypted in an IPSec Tunnel by the ASA's.   The ASA's connect to Frame Relay capable routers.   The router encrypt the tunnel again, before placing it on the Frame Relay network.
LVL 57

Expert Comment

ID: 40539292
So you have 3 tunnels?  Why so many tunnels?

Oh well, technically it should work.  However with the overhead of all the encryption/decryption depending on the latency of the link NFS could be timing out.

What did the packet capture show?

Author Comment

ID: 40540183
I'll take a look and see what I can post.   All of this is done in a lab, so there is no latency for distance.
LVL 57

Expert Comment

ID: 40540257
O.K., Although I have never personally experienced I have read a few places that when you do too much encryption, that there are times where decryption will have a problem.

You are taking traffic and encrypting it 3 times, which on the decryption side could cause problems.  I would also think there could be possible problems with MTU sizes and fragmentation.  A 1500 byte NFS packet  that goes into a VPN "packet" that goes into another VPN "packet", that goes into another VPN " packet".

Author Comment

ID: 40540270
Thanks Giltjr,

I concur with your logic.  
What is the best way to try to work around it?  Change the MSS?   Change the MTU?

Where would you start?

LVL 57

Accepted Solution

giltjr earned 500 total points
ID: 40540325
First thing I would do is re-evaluate why so many VPN tunnels.

Do you really need a IPSec tunnel between the two end points?   If all you are doing is NFS mount, what about trying NFS over SSH session.  If the production setup is going to be going over a WAN link you could use ssh compression to reduce the amount of data sent over the wire.  Improve performance a little.

Do you really need the the router-to-router VPN and the ASA-to-ASA VPN?  Could you remove one of those?

If you really need all the tunnels, I would make sure that that the MTU between the two routers is as big as possible.  Then make the VPN tunnel MTU between the two ASA's 40 or so bytes less than that .
Then I would setup a specific route on the Linux boxes to each other with a MTU of of 40 or so bytes less than the MTU between the two ASA's.  

To start with you may just want to setup the route specific MTU between the two Linux boxes.  A MTU of 512 should be small enough to that it fits within all the tunnels.

Author Comment

ID: 40541542
Just what I needed, many thanks.

Author Closing Comment

ID: 40541543
Good work.

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
An article on effective troubleshooting
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question