IPSec and packet loss

For those of you which configuring IPSec and have packet loss in transit… Perhaps this configuration could help :

crypto ipsec client ezvpn REGISBTP
 connect auto
 group VPN-CLIENT2 key jsdfxkqwpoe
 local-address FastEthernet0
 mode network-extension
 peer 22.22.22.22
 username ipsec1@client2.vpn password jsdfxkqwpoe
 xauth userid mode local

interface FastEthernet0
 ip address 192.168.1.36 255.255.255.0
 ip mtu 1460
 no ip route-cache cef
 ip tcp adjust-mss 1420
 duplex auto
 speed auto
 crypto ipsec client ezvpn CLIENT2
!         

interface Vlan1
 ip address 10.20.0.1 255.255.255.0
 ip mtu 1460
 ip virtual-reassembly
 ip tcp adjust-mss 1420
 crypto ipsec client ezvpn CLIENT2 inside
!         
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254

The really interesting command (which resolves packet loss) is :

no ip route-cache cef

Ok, now you use FastSwitching and use more CPU, but the service is now OK agains 50% packet loss…

You could read :

• http://cisco.com/en/US/customer/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
• http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfipsec.html