Can you run NFS inside of two IPSec tunnels
We have two older Cisco routers, running IPSec over Frame Relay in a lab. We can successfuly run our application using only that tunnel. Whe we add ASA's on the outside of those routers, and build a second tunnel, our application fails (it uses NFS, and a quick packet capture shows that may be the issue).
I should also mention the hosts are running Linux IPSec, so this would be a total of three tunnels.
Any help is appreciated.
I should also mention the hosts are running Linux IPSec, so this would be a total of three tunnels.
Any help is appreciated.
ASKER
NFS Server >> ASA >> Router >> FrameRelay Cloud >> Router >> ASA >> NFS Client
||.................. Tunnel # 1 ..................||
||=============== Tunnel # 2 ++++++++++++++++||
||,,,,,,,,,,,,,,,,,,,,,,,,
||.................. Tunnel # 1 ..................||
||=============== Tunnel # 2 ++++++++++++++++||
||,,,,,,,,,,,,,,,,,,,,,,,,
What do you mean by "Linux Tunnel"?
I guess my definition of "outside" is different from yours. However my question still stands. Does is Tunnel #2 logically inside tunnel#1. Meaning, does tunnel#2 traffic flow inside of tunnel#1? Or does tunnel#2 traffic flow directly over the frame link?
I guess my definition of "outside" is different from yours. However my question still stands. Does is Tunnel #2 logically inside tunnel#1. Meaning, does tunnel#2 traffic flow inside of tunnel#1? Or does tunnel#2 traffic flow directly over the frame link?
ASKER
The NFS Client and Server are Linux devices, and they have an IPSec Tunnel between the servers, completely independent of the Cisco devices. That is what I call a Linux Tunnel. That data is encrypted in an IPSec Tunnel by the ASA's. The ASA's connect to Frame Relay capable routers. The router encrypt the tunnel again, before placing it on the Frame Relay network.
So you have 3 tunnels? Why so many tunnels?
Oh well, technically it should work. However with the overhead of all the encryption/decryption depending on the latency of the link NFS could be timing out.
What did the packet capture show?
Oh well, technically it should work. However with the overhead of all the encryption/decryption depending on the latency of the link NFS could be timing out.
What did the packet capture show?
ASKER
I'll take a look and see what I can post. All of this is done in a lab, so there is no latency for distance.
O.K., Although I have never personally experienced I have read a few places that when you do too much encryption, that there are times where decryption will have a problem.
You are taking traffic and encrypting it 3 times, which on the decryption side could cause problems. I would also think there could be possible problems with MTU sizes and fragmentation. A 1500 byte NFS packet that goes into a VPN "packet" that goes into another VPN "packet", that goes into another VPN " packet".
You are taking traffic and encrypting it 3 times, which on the decryption side could cause problems. I would also think there could be possible problems with MTU sizes and fragmentation. A 1500 byte NFS packet that goes into a VPN "packet" that goes into another VPN "packet", that goes into another VPN " packet".
ASKER
Thanks Giltjr,
I concur with your logic.
What is the best way to try to work around it? Change the MSS? Change the MTU?
Where would you start?
jc
I concur with your logic.
What is the best way to try to work around it? Change the MSS? Change the MTU?
Where would you start?
jc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just what I needed, many thanks.
ASKER
Good work.
This is what I think you have that works:
NFS SERVER <--- Cisco Router --> VPN TUNNEL #1 <--- Cisco Router --> NFS CLIENT
Sort of what does not work.
NFS SERVER <--- Cisco Router --> <--- ASA --> VPN TUNNEL#2 <--- ASA--> <--- Cisco Router --> NFS CLIENT
| |
\ --------------------------
Is VPN tunnel #1 going through VPN TUNNEL#2? Or are the "side by side"?