After many years of securing each service, i.e. email, web site, etc. for my servers and servers I managed, I came to realize that the only way to secure a company with more than 1 server is with a VPN. Now that I’ve used a VPN for about a week, I’m extremely happy with it. This will allow us to stop maintaing the firewall on 7 separate servers! My IT coordinator has done an amazing job at getting it running and when he was stuck, he called in a pro (knowing when to say that you don’t know something scores points in my book).
This week, we were trying to connect our San Diego office to our main Minneapolis office. This proved to be much harder than it should have been. We have Cisco routers on both ends and used the EZVPN in the router to establish the connection; turns out it wasn’t very easy. We had it working yesterday, but when I took it into the office, it failed to work. I took another stab at it today. After lots and lots of Google searching, I stumbled across some information about MTUs and made a few changes that amazingly got the VPN working flawlessly! The problem was that I could make connections that only sent a little data, but SSH connections and full web pages over the VPN failed.
The following are changes I had to make to the Cisco 871 on the remote side:
crypto isakmp keepalive 10 periodic
For the Vlan and Ethernet interfaces, I set:
ip mtu 1400
and on the Vlan1 interface, I set:
ip tcp adjust-mss 1200
(The last bit was the key.)
I’m tempted to get Cisco certified, but I’d probably pull my hair out if I encountered a problem like this again.