Can you run NFS inside of two IPSec tunnels

Posted on 2015-01-06
Last Modified: 2015-01-09
We have two older Cisco routers, running IPSec over Frame Relay in a lab.  We can successfuly run our application using only that tunnel.   Whe we add  ASA's on the outside of those routers, and build a second tunnel, our application fails (it uses NFS, and a quick packet capture shows that may be the issue).

I should also mention the hosts are running Linux IPSec, so this would be a total of three tunnels.

Any help is appreciated.
Question by:jimmycher
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 57

Expert Comment

ID: 40538170
I'm confused on the setup.

This is what I think you have that works:

NFS SERVER <--- Cisco Router --> VPN TUNNEL #1 <--- Cisco Router --> NFS CLIENT

Sort of what does not work.
NFS SERVER <--- Cisco Router -->  <--- ASA --> VPN TUNNEL#2 <--- ASA--> <--- Cisco Router --> NFS CLIENT
                                      |                                                                                                               |
                                      \ ------------------------------->  VPN TUNNEL #1< ----------------------/

Is VPN tunnel #1 going through VPN TUNNEL#2?  Or are the "side by side"?

Author Comment

ID: 40539176
NFS Server >> ASA >> Router >> FrameRelay Cloud >> Router >>  ASA  >>  NFS Client
                                     ||.................. Tunnel # 1  ..................||

                         ||=============== Tunnel # 2 ++++++++++++++++||

  ||,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,  Linux  Tunnel  ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,||
LVL 57

Expert Comment

ID: 40539268
What do you mean by "Linux Tunnel"?

I guess my definition of "outside" is different from yours.  However my question still stands.  Does is Tunnel #2 logically inside tunnel#1.  Meaning, does tunnel#2 traffic flow inside of tunnel#1?  Or does tunnel#2 traffic flow directly over the frame link?
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.


Author Comment

ID: 40539279
The NFS Client and Server are Linux devices, and they have an IPSec Tunnel between the servers, completely independent of the Cisco devices.   That is what I call a Linux Tunnel.  That data is encrypted in an IPSec Tunnel by the ASA's.   The ASA's connect to Frame Relay capable routers.   The router encrypt the tunnel again, before placing it on the Frame Relay network.
LVL 57

Expert Comment

ID: 40539292
So you have 3 tunnels?  Why so many tunnels?

Oh well, technically it should work.  However with the overhead of all the encryption/decryption depending on the latency of the link NFS could be timing out.

What did the packet capture show?

Author Comment

ID: 40540183
I'll take a look and see what I can post.   All of this is done in a lab, so there is no latency for distance.
LVL 57

Expert Comment

ID: 40540257
O.K., Although I have never personally experienced I have read a few places that when you do too much encryption, that there are times where decryption will have a problem.

You are taking traffic and encrypting it 3 times, which on the decryption side could cause problems.  I would also think there could be possible problems with MTU sizes and fragmentation.  A 1500 byte NFS packet  that goes into a VPN "packet" that goes into another VPN "packet", that goes into another VPN " packet".

Author Comment

ID: 40540270
Thanks Giltjr,

I concur with your logic.  
What is the best way to try to work around it?  Change the MSS?   Change the MTU?

Where would you start?

LVL 57

Accepted Solution

giltjr earned 500 total points
ID: 40540325
First thing I would do is re-evaluate why so many VPN tunnels.

Do you really need a IPSec tunnel between the two end points?   If all you are doing is NFS mount, what about trying NFS over SSH session.  If the production setup is going to be going over a WAN link you could use ssh compression to reduce the amount of data sent over the wire.  Improve performance a little.

Do you really need the the router-to-router VPN and the ASA-to-ASA VPN?  Could you remove one of those?

If you really need all the tunnels, I would make sure that that the MTU between the two routers is as big as possible.  Then make the VPN tunnel MTU between the two ASA's 40 or so bytes less than that .
Then I would setup a specific route on the Linux boxes to each other with a MTU of of 40 or so bytes less than the MTU between the two ASA's.  

To start with you may just want to setup the route specific MTU between the two Linux boxes.  A MTU of 512 should be small enough to that it fits within all the tunnels.

Author Comment

ID: 40541542
Just what I needed, many thanks.

Author Closing Comment

ID: 40541543
Good work.

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question