Environment:

• GateWay Core Software 1.4.2 or greater
• VPN

Description:

This article outlines some recommended settings for using a VPN connection behind a GateWay. If these settings are not used then the network connection may be slower than expected.

Additional Information:

OpenVPN

Anti-replay protection window

The default value of 64 packets is too small for the speed of modern networks combined with blending. In both the server and client config files, add the setting:

replay-window 2048

This value may need to be further increased – it can be calibrated by starting the OpenVPN client and server with the setting verb 4 to increase logging verbosity. Use the VPN as normal (generate traffic from the applications), and it will log the following line each time the sequence number backtrack increases:

Replay-window backtrack occurred [n]

The value shown for ‘n’ is the largest value seen so far. If it consistently shows a value larger than 2048, the “replay-window” setting should be increased to a value greater than ‘n’.

Do not use the “fragment” option

OpenVPN has an optional fragment setting that causes it to fragment incoming packets to a smaller value before transmission. The algorithm for fragment reassembly is very similar to the anti-replay protection algorithm.

However, unlike the “replay-window”, the fragment reassembly window size cannot be configured. It is hardcoded at a value of 25 packets. So in order to achieve good performance, the fragment option should not be used.

To disable it, remove it from both the client and server OpenVPN config files, or explicitly disable with:

fragment 0

GateWay software 1.4.2 or greater will internally fragment packets that are too large for the MTU. It can be relied on instead of the OpenVPN feature.

Cisco IPSec

Anti-replay protection window

The default value of 64 packets is too small for the speed of modern networks combined with blending.

The instructions to increase the anti-replay window size, or completely disable anti-replay protection are documented here.

Cisco recommends increasing the value to 1024 (the maximum that modern IOS software allows – some older versions are limited to 512).

Cisco also has some diagnostic tips for confirming whether or not anti-replay drops are still occurring. Details can be found here.

If they still occur, completely disabling anti-replay protection is an option to consider (steps are in the above links).