cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

186
Views
0
Helpful
0
Replies
Highlighted
Enthusiast

Is DF bit copied to the outside header in the GRE over IPsec with ESP transport mode?

I always have an impression that, with the default config, the original IP header's DF bit is not copied over to the GRE IP header. Is it not correct? The IPSec ESP transport mode should not change it either because it just re-uses the GRE IP headers. Let me know if my understanding is correct or not.

In my environment with DMVPN setup with ASR and ISR, however, I see that the DF bit is being copied to the outer header. I have confirmed that I don't have "tunnel path-mtu-discovery" on the tunnel interface. I also don't have "crypto ipsec df-bit copy" configured, even though I know that it is only for the tunnel mode. 

Any explanation? 

Thanks

Difan

Everyone's tags (1)