I want to ask a question which is that I have a Cisco 2821 router running GRE over IPSec which point to another Cisco 2821 which has same configuration. I see so many fragmentation shown in "show ip traffic". Then I have read the Cisco document "http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#t3". But there are some points which I cannot understand. As follows:
1. If I don't set the tunnel interface a command "tunnel path-mtu-discovery", the tunnel0 interface will not perform PMTUD as it will clear the DF bit after encap the packets and then send to IPSec for encryption. This is the current configuration of my router. But why I also can see the icmp unreachable(type 3, code 4) sent by this router to my hosts in LAN? Does the tunnel0 interface still sends icmp unreachable to hosts which send packets with DF bit 1 even though the "tunnel path-mth-discovery" not be enabled?
2. After I read the Cisco document mentioned above, I decide to set "ip tcp adjusted-mss 1360" to ethernet interface which point to my LAN in order to tell the hosts to send MSS which meet the IPSec packet size and set "tunnel path-mth-discovery" to let the tunnel0 interface to add DF bit 1 to new encapsulated GRE packets' IP header so that IPSec will not fragment those GRE packets. Is this decision right?
The IPSec crypto map is applied to one of the Gigabit Ethernet interface of the 2821. Another Gi0/1 is for LAN. One tunnel0 interface. Loopback0's IP is the tunnel source.
MTU 1476 in "show ip int tunnel0"
MTU 1514 in "show int tunnel0" and "show int loopback0"
MTU 1500 in "show int gi0/1" and "show int gi0/0"
Path MTU 1500 in "show crypto ip sa"(Gi0/1 has crypto map point to another Cisco 2821)
Anybody could answer my question?