Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can you run NFS inside of two IPSec tunnels

Posted on 2015-01-06
11
Medium Priority
?
350 Views
Last Modified: 2015-01-09
We have two older Cisco routers, running IPSec over Frame Relay in a lab.  We can successfuly run our application using only that tunnel.   Whe we add  ASA's on the outside of those routers, and build a second tunnel, our application fails (it uses NFS, and a quick packet capture shows that may be the issue).

I should also mention the hosts are running Linux IPSec, so this would be a total of three tunnels.

Any help is appreciated.
0
Comment
Question by:jimmycher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 40538170
I'm confused on the setup.

This is what I think you have that works:

NFS SERVER <--- Cisco Router --> VPN TUNNEL #1 <--- Cisco Router --> NFS CLIENT


Sort of what does not work.
NFS SERVER <--- Cisco Router -->  <--- ASA --> VPN TUNNEL#2 <--- ASA--> <--- Cisco Router --> NFS CLIENT
                                      |                                                                                                               |
                                      \ ------------------------------->  VPN TUNNEL #1< ----------------------/

Is VPN tunnel #1 going through VPN TUNNEL#2?  Or are the "side by side"?
0
 

Author Comment

by:jimmycher
ID: 40539176
NFS Server >> ASA >> Router >> FrameRelay Cloud >> Router >>  ASA  >>  NFS Client
                                     ||.................. Tunnel # 1  ..................||

                         ||=============== Tunnel # 2 ++++++++++++++++||

  ||,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,  Linux  Tunnel  ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,||
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40539268
What do you mean by "Linux Tunnel"?

I guess my definition of "outside" is different from yours.  However my question still stands.  Does is Tunnel #2 logically inside tunnel#1.  Meaning, does tunnel#2 traffic flow inside of tunnel#1?  Or does tunnel#2 traffic flow directly over the frame link?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:jimmycher
ID: 40539279
The NFS Client and Server are Linux devices, and they have an IPSec Tunnel between the servers, completely independent of the Cisco devices.   That is what I call a Linux Tunnel.  That data is encrypted in an IPSec Tunnel by the ASA's.   The ASA's connect to Frame Relay capable routers.   The router encrypt the tunnel again, before placing it on the Frame Relay network.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40539292
So you have 3 tunnels?  Why so many tunnels?

Oh well, technically it should work.  However with the overhead of all the encryption/decryption depending on the latency of the link NFS could be timing out.

What did the packet capture show?
0
 

Author Comment

by:jimmycher
ID: 40540183
I'll take a look and see what I can post.   All of this is done in a lab, so there is no latency for distance.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40540257
O.K., Although I have never personally experienced I have read a few places that when you do too much encryption, that there are times where decryption will have a problem.

You are taking traffic and encrypting it 3 times, which on the decryption side could cause problems.  I would also think there could be possible problems with MTU sizes and fragmentation.  A 1500 byte NFS packet  that goes into a VPN "packet" that goes into another VPN "packet", that goes into another VPN " packet".
0
 

Author Comment

by:jimmycher
ID: 40540270
Thanks Giltjr,

I concur with your logic.  
What is the best way to try to work around it?  Change the MSS?   Change the MTU?

Where would you start?

jc
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 40540325
First thing I would do is re-evaluate why so many VPN tunnels.

Do you really need a IPSec tunnel between the two end points?   If all you are doing is NFS mount, what about trying NFS over SSH session.  If the production setup is going to be going over a WAN link you could use ssh compression to reduce the amount of data sent over the wire.  Improve performance a little.

Do you really need the the router-to-router VPN and the ASA-to-ASA VPN?  Could you remove one of those?

If you really need all the tunnels, I would make sure that that the MTU between the two routers is as big as possible.  Then make the VPN tunnel MTU between the two ASA's 40 or so bytes less than that .
Then I would setup a specific route on the Linux boxes to each other with a MTU of of 40 or so bytes less than the MTU between the two ASA's.  

To start with you may just want to setup the route specific MTU between the two Linux boxes.  A MTU of 512 should be small enough to that it fits within all the tunnels.
0
 

Author Comment

by:jimmycher
ID: 40541542
Just what I needed, many thanks.
0
 

Author Closing Comment

by:jimmycher
ID: 40541543
Good work.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question