Hello all,
        I have been trrying for a while to get an ADSL connection up and runninng with a VPN connection. I am using IKE and presahred keys between a Cisco 827 ADSL router and a checkpoint box and as an alternaltive, another cisco router running IPSEC.

I can get the encrypted link to go but only with pings (icmp). I have set up route maps that do not NAT when encryption is running between the two predefined networks but otherwise NAT all other traffic to the internet.

I thought it was MTU related by varying ping payload size up to 1400 bytes or more, makes no difference. I see that in the router degug we get TCP segment resequences.

Here is a bit of debug...

*Mar 5 00:25:06.108: TCP: sending SYN, seq 216112696, ack 529856223
*Mar 5 00:25:06.112: TCP0: Connection to 192.168.250.1:2007, advertising MSS 536
*Mar 5 00:25:06.112: tcp0: O SYNRCVD 192.168.250.1:2007 192.168.200.250:23 seq 216112696
        OPTS 4 ACK 529856223 SYN WIN 4128
*Mar 5 00:25:09.352: tcp0: I SYNRCVD 192.168.250.1:2007 192.168.200.250:23 seq 529856222
        OPTS 4 SYN WIN 8192
*Mar 5 00:25:09.356: tcp0: O SYNRCVD 192.168.250.1:2007 192.168.200.250:23 seq 216112696
        ACK 529856223 WIN 4128
*Mar 5 00:25:09.360: TCP0: bad seg from 192.168.250.1 -- bad sequence number: seq 529856222 ack 0 rcvnxt 529856223 rcvwnd 4128
*Mar 5 00:25:12.116: tcp0: R SYNRCVD 192.168.250.1:2007 192.168.200.250:23 seq 216112696
        OPTS 4 ACK 529856223 SYN WIN 4128
*Mar 5 00:25:12.120: TCP0: timeout #1 - timeout is 12000 ms, seq 216112696

I have run the non adsl router back to bvack with firewall and all is ok that proves encryption etc is ok.

The crux of the problem is when you vpn from a dds connection at one end to ADSL at the other. I mentioned this to someone at Telecom and they say that there seems to be an inherant issue doing this. Thay say the TCP/UDP packets get "randomised" as they call it. THay have seen it before but don't know what causes it!

They said to go on this site and see if anyone knows...

Does anybody know why this is? Or has naybody done what I am trying to do? I feell that a VPN should work between any type of WAN topology...

Thanks.

Simon.

> Simon Watt-Wyness
> Technical Consultant (Communications Specialist) CCNA / CCDA / NZCE
> Eagle Technology Group
> Email ID: simon_ww@eagle.co.nz
> Direct Dial +64-9-639-0648
> Phone: +64-9-639-0600
> Fax: +64-9-639-0620
> Mobile: (021) 991-445
> Address: Epsom Stand, Alexandra Park Racecourse (Yellow Bldg). Auckland. NZ.
> Postal: Private Bag 93211, Parnell. Auckland. NZ.
> URL: http://www.eagle.co.nz
>
>
>

===
This email is confidential and may be legally privileged.
If received in error please destroy and immediately notify us.

This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Mon Jan 8 11:09:19 2001