10-13-2010 09:38 PM
Hi,
I tried to ping with mtu size 1400 via VPN tunnel but failed.
Kim#ping 192.168.2.1 df size 1400
Sending 5, 1400-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)
May I know why is it so? and how will it affect my system if MTU failed at 1400?
My tunnel mtu is set to 1400
sh crypto ipsec sa:
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
Thank you
Solved! Go to Solution.
01-09-2011 04:43 PM
That's more or less correct...
You do not want to change the IP MTU on an interface from default, what you would like to change is the TCP MSS to 1322 on the inside interface/LAN interface of your router. It will negotiate a lower MSS value during TCP negotiation, so when the TCP packet is encrypted into ESP or GRE/ESP packet, it passes through the interface MTU of (typically 1500 bytes) just fine.
10-13-2010 09:54 PM
After the ping packet is being encrypted, it will add extra header to the packet, hence, ping with packet size of 1400 fails.
From that, the IP MTU is 1452, and IPSec encryption normally adds about 56 bytes to the packet header, hence it fails. If you have GRE over IPSec tunnel, then it would add a little bit more for the GRE header.
Here is an article for your reference on IPSec packet size and issues:
http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html?page=8
Hope that helps.
01-09-2011 04:36 PM
Hi again,
I was trying to calculate the overheads for ESP-AES-256 esp-sha-hmac with tunnel mode. Below is my understanding:
20(tunnel) + 8(ESP headers) +16(IV) + 2(trailer) + 32(SHA)=78btyes
AES padding for 1400 btyes = 0 (43blocks of 32bytes)
Total overheads= 78btyes (May I know if my understandiing correct?)
Thus, I should set my MTU size to 1322?
What command can I use to check the packet size sent and received on the router?
Thank you in-advance! : )
01-09-2011 04:43 PM
That's more or less correct...
You do not want to change the IP MTU on an interface from default, what you would like to change is the TCP MSS to 1322 on the inside interface/LAN interface of your router. It will negotiate a lower MSS value during TCP negotiation, so when the TCP packet is encrypted into ESP or GRE/ESP packet, it passes through the interface MTU of (typically 1500 bytes) just fine.
01-09-2011 04:47 PM
Thank you so much for the prompt reply (as always) ; )
01-09-2011 06:31 PM
sorry another questions to seek your advise:
I failed to ping df size 1380 but successfull with size 1379 with 5 encrypted packets sent
Any idea how to determine the actual encrypted packet size? or anyway to know the exact overheads. I cannot use wireshark as my router is connected directly to ISP gateway.
Thank you
01-09-2011 06:46 PM
Typically, that is how you would determine what is the biggest clear text packet you can send through the tunnel before it is getting encrypted, ie: by doing an extended ping with different packet size like what you have performed with DF bit set.
I can't tell you exactly how many bytes the overheads are, however, the ping test that you have performed is normally how you would determine that.
You can also perform packet capture on the router itself to see what is the packet before it is being sent out the interface:
01-26-2023 04:19 AM
Hi Jennifer,
There is a time and place where you would lower the MTU on the interface. The MSS you are referencing is only for TCP and that's only one portion of IP packets. There are lots of UDP packets out there which needlessly are fragmented.
So, absolutely lower the MTU for UDP packets. MSS is only for TCP.
on a windows box do the following
ping -f -l 1500 x.x.x.x
Keep lowering the value of 1500 till you don't get the value
Packet needs to be fragmented but DF set.
Then do the following math: Final MTU = x value (you get from ping -f-l) PLUS 8 bytes ICMP header PLUS 20 bytes IP header
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide