Downloads |
Table Of Contents
Pre-Fragmentation for IPSec VPNs
Supported Standards, MIBs, and RFCs
Configuring Pre-Fragmentation For IPSec VPNs
Verifying Pre-Fragmentation For IPSec VPNs
Enabling Pre-Fragmentation For IPSec VPNs Example
crypto ipsec fragmentation (interface configuration)
Pre-Fragmentation for IPSec VPNs
Feature History
This feature module describes the Pre-fragmentation for IPSec VPNs feature in Cisco IOS Release 12.2(13)T and 12.2(14)S. It includes the following sections:
Feature Overview
When a packet is nearly the size of the maximum transmission unit (MTU) of the outbound link of the encrypting router, and it is encapsulated with IPSec headers, it is likely to exceed the MTU of the outbound link. This causes packet fragmentation after encryption, which makes the decrypting router reassemble in the process path. Pre-fragmentation for IPSec VPNs increases the decrypting router's performance by enabling it to operate in the high performance CEF path instead of the process path.
This feature allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the MTU of the output interface, the packet is fragmented before encryption. This function avoids process level reassembly before decryption and helps improve decryption performance and overall IPSec traffic throughput.
Note
The pre-fragmentation feature is turned off by default for tunnel interfaces. To receive pre-fragmentation performance benefits, turn pre-fragmentation on after insuring that the tunnel interfaces have the same MTU on both ends.
Benefits
Increased Performance
Delivers encryption throughput at maximum encryption hardware accelerator speeds. This performance increase is for near MTU-sized packets.
Uniform Fragmentation
Packets are fragmented into equally sized units to prevent further downstream fragmentation.
Interoperability
This feature is interoperable with all Cisco IOS platforms and a number of Cisco VPN clients.
Restrictions
Take the following information into consideration before this feature is configured:
•
•
•
•
Supported Platforms
12.2(14)S and higher
The Pre-fragmentation for IPSec VPN feature is supported on the following platforms:
•
•
12.2(13)T
The Pre-fragmentation for IPSec VPN feature is supported on all platforms using Cisco IOS Release 12.2(13)T or higher, including:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
12.1(11b)E
The Pre-fragmentation for IPSec VPN feature is supported on all platforms using Cisco IOS Release 12.1(11b)E or higher, including:
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
•
MIBs
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
•
Configuration Tasks
See the following sections for configuration tasks for the Pre-fragmentation for IPSec VPNs feature. Each task in the list is identified as either required or optional.
•
•
Configuring Pre-Fragmentation For IPSec VPNs
Pre-fragmentation for IPSec VPNs is globally enabled by default. To enable or disable pre-fragmentation for IPSec VPNs while in interface configuration mode, enter the commands in the following table. Use the no form of the commands to revert back to the default configuration, or use the commands themselves to enable configuration of the pre-fragmentation IPSec VPNs.
Note
Verifying Pre-Fragmentation For IPSec VPNs
To verify that this feature is enabled, consult the interface statistics on the encrypting router and the decrypting router. If fragmentation occurs on the encrypting router, and no reassembly occurs on the decrypting router, fragmentation is happening before encryption, and thus the packets are not being reassembled before decryption. This means that the feature is enabled.
Note
Step 1
Router# show running-configurationcrypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 25.0.0.7!!crypto ipsec transform-set fooprime esp-3des esp-sha-hmac!crypto map bar 10 ipsec-isakmpset peer 25.0.0.7set transform-set fooprimematch address 102If the feature has been disabled, you will observe output similar to the following:
Router# show running-configurationcrypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 25.0.0.7!!crypto ipsec transform-set fooprime esp-3des esp-sha-hmaccrypto ipsec fragmentation after-encryption!crypto map bar 10 ipsec-isakmpset peer 25.0.0.7set transform-set fooprimematch address 102Step 2
Router# show running-configuration interface fastethernet 0/0interface FastEthernet0/0ip address 25.0.0.6 255.0.0.0no ip mroute-cacheload-interval 30duplex fullspeed 100crypto map barIf the feature has been disabled, you will observe output similar to the following:
Router# show running-configuration interface fastethernet 0/0
interface FastEthernet0/0ip address 25.0.0.6 255.0.0.0no ip mroute-cacheload-interval 30duplex fullspeed 100crypto map barcrypto ipsec fragmentation after-encryption
Configuration Examples
This section provides the following configuration example:
•
Enabling Pre-Fragmentation For IPSec VPNs Example
The following configuration example shows how to configure the Pre-Fragmentation for IPSec VPNs feature:
Note
crypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 25.0.0.7!!crypto ipsec transform-set fooprime esp-3des esp-sha-hmac!crypto map bar 10 ipsec-isakmpset peer 25.0.0.7set transform-set fooprimematch address 102Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
crypto ipsec fragmentation
To enable pre-fragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on a global basis, use the crypto ipsec fragmentation command in global configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation {before-encryption | after-encryption}
no crypto ipsec fragmentation {before-encryption | after-encryption}
Syntax Description
before-encryption
Enables pre-fragmentation for IPSec VPNs.
after-encryption
Disables pre-fragmentation for IPSec VPNs.
Defaults
If no other pre-fragmentation for IPSec VPNs commands are in the configuration, the router will revert to the default global configuration.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the before-encryption keyword to enable pre-fragmentation for IPSec VPNs; use the after-encryption keyword to disable pre-fragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the MTU of output interface, the packet is fragmented before encryption.
Note
Examples
The following example shows how to globally enable pre-fragmentation for IPSec VPNs:
crypto ipsec fragmentation before-encryptioncrypto ipsec fragmentation (interface configuration)
To enable pre-fragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on an interface, use the crypto ipsec fragmentation command in interface configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation {before-encryption | after-encryption}
no crypto ipsec fragmentation {before-encryption | after-encryption}
Syntax Description
before-encryption
Enables pre-fragmentation for IPSec VPNs.
after-encryption
Disables pre-fragmentation for IPSec VPNs.
Defaults
If no other pre-fragmentation for IPSec VPNs commands are in the configuration, the router will revert to the default global configuration.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the before-encryption keyword to enable pre-fragmentation for IPSec VPNs per interface; use the after-encryption keyword to disable pre-fragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the MTU of output interface, the packet is fragmented before encryption.
Examples
The following example shows how to enable pre-fragmentation for IPSec VPNs on an interface and then how to display the output of the show running configuration command:
Note
Router(config-if)# crypto ipsec fragmentation before-encryptionRouter(config-if)# exitRouter# show running-configcrypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 25.0.0.7!!crypto ipsec transform-set fooprime esp-3des esp-sha-hmac!crypto map bar 10 ipsec-isakmpset peer 25.0.0.7set transform-set fooprimematch address 102
