I have heavy fragmentation with this configuration, and because of this, remote sites can not receive a good vpn bandwidth.
2821 is headquarters router and 1721 remote vpn site.
1721 has a vpn module.
What can I do?
That link is OK - lets do some math:-
IP Header - 20 Bytes
TCP Header - 20 Bytes
IPSEC Header - 56 Bytes
Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-
So the NIC MTU = 1500, take away 20 bytes for the TCP header, take away 20 bytes for the TCP header - advertise a MSS of 1460.
When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.
So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption...
but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!
If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl
be 1480! not what you are looking for.
So to be safe I always do the following:-
20 Bytes for IP header
20 Bytes for TCP header
28 Bytes for GRE encapsulation (if I want to use Dynamic routing protocols over VPN)
56 Bytes for IPSEC
So far = 1356.
I always calculate an extra if I am dealing with VOIP:-
12 Bytes for RTP
All totaled = 1344
I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.