MTU & MSS adjust on GRE over IPsec over HSPA network

Answered Question
Jan 20th, 2010

We need to figure out what's the best config for an VPN network running on the latest Bell Canada's HSPA cellular Network. Technical folks at Bell tolds us the best MTU to use over their HSPA network is 1476.

Correct me if i'm wrong:

HSPA's ISP recommanded MTU - IPsec payload - GRE payload = what we need to configure on our MSS ajust commands and on the Tunnel Interface.

That would be 1476 (HSPA) - 58 (IPsec) - 24 (GRE) = 1394

On our Ethernet interface facing the HSPA modem: MTU should be 1476

On our Tunnel & MSS-adjust command: 1394

Does it make any sens ?

Thanks !

I have this problem too.
0 votes
Correct Answer by Laurent Aubert about 6 years 8 months ago


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Laurent Aubert Wed, 01/20/2010 - 18:36

HI Nicolas,

TCP MSS doesn't include IP and TCP header so you should remove 40B from your result. 1394 is actually the IP MTU of your original packet.



nicolas.bedard Thu, 01/21/2010 - 05:33

Therefore my settings will be

Fast Ethernet MTU connecting to HSPA modem: 1476

GRE Tunnel MTU: 1394

MSS adjust on Tunnel Interface: 1354

Am I right ?

Borman Bravo Thu, 01/21/2010 - 12:11

IP Header - 20 Bytes
TCP Header - 20 Bytes
IPSEC Header - 56 Bytes

Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-

So the NIC MTU = 1500, take away 20 bytes for the TCP header, advertise a MSS of 1460.

When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.

So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption...
but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!

If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl
be 1480! not what you are looking for.

So to be safe I always do the following:-

20 Bytes for IP header
20 Bytes for TCP header
28 Bytes for GRE encapsulation
56 Bytes for IPSEC
So far = 1356.

I always calculate an extra if I am dealing with VOIP:-

12 Bytes for RTP

All totaled = 1344

I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.

jeremyneedle Sat, 08/07/2010 - 12:28

Some minor corrections:

Actually VoIP uses UDP, which is 8 bytes. That plus the 12 bytes for = 20.

Additionally GRE headers are 4 bytes, plus the new IP header of 20 bytes. Thus totalling 24 bytes [not 28].

Other than that, Bravo's suggestion looks pretty good.

thet.thet Mon, 10/11/2010 - 10:38


     I having similar problem on NHRP problem

Our network was using 1720 router before it worked fine .

then we swapped to 1841 series

the sybase database replication not going through anymore

we do replication everyday suddenly it happens when we swapped router

on head office

we have the vpn tunnel to remote location

the strange is it works well on same network client server database replication

it just doesn't go through on different network on remote location vpn nhrp tunnel

Any ideas pls




This Discussion