I have some questions about the best strategy for MSS / MTU definition and PMTUD activation.
What I read:
Resolve IP Fragmentation, MTU, MSS, PMTUD Issues with GRE and IPSEC.pdf (I read this one twice )
MTU, TCP MSS, PMTUD MSS Adjust.doc
MTU Tuning for L2TP.pdf
Adjusting IP MTU, TCP MSS, and PMTUD on Windows Systems.pdf
Path MTU Discovery in Windows.mht
Step-by-step instructions for tuning TCP under Windows XP.mht
The idea is clear for me, the first source is a full ABC for the issue, but I still have some questions.
1. When using GRE+IPSec tunnels in what order are the following procedures done: fragmentation / encapsulation / encryption?
2. If I have DMVPN (GRE + IPSec) tunnels with my branches and I also have ACL (for incoming traffic) on the head office router WAN interface, which permits isakmp, esp and icmp traffic from the branch router only, and I enable PMTUD together with ip unreachables on that interface, what should I add in the ACL for PMTUD function to work normally? I mean should I add a filter to permit ICMP packets from the next hop? Or should I permit ICMP from any hop?
3. As I understand in case of GRE + IPSec (obviously transport mode) which works over ADSL line we have MSS = 1500 - 24 (GRE) - 38 (IPSec transport mode) - 20 (IP) - 20 (TCP) - 8 (for DSL) = 1390. Is this correct?
4. How to check the real max MTU between two Cisco routers connected via VPN (GRE + IPSec)?
I know I can use "ping -f" but, AFAIK, GRE will encapsulate the original packet and coolly fragment it, so I will not see the real max MTU (according to my calcs it would be ~ 1438.)
And my main question:
I have DM-VPN (as I understand it means GRE + IPSec in transport mode?) with my local regional branches.
My target is:
- to provide the best performance of the connections between hosts in the head office and each branch
- do not touch hosts settings
- provide invisibility for my routers in public networks.
(AFAIK, the latter means ACLs on our routers WAN interfaces for incoming traffic denying everything except traffic from our another respective router WAN interfaces plus "no ip unreachables". Am I right?)
Now what we have by default:
- in the offices we have Ethernet networks and Windows based PCs, which have PMTUD enabled, MTU = 1500, ICMP unreachables enabled. => All is ready for PMTUD (possibly except personal firewalls, which could block ICMP packets from a router and thus prevent PMTUD from functioning properly)
- on the offices Cisco routers: PMTUD is disabled by default, MTU on physical interfaces = 1500, on GRE tunnel = 1476, ip unreachables on WAN interfaces we are turning off (to provide invisibility).
Now, what is the best strategy?
for our routers LAN interfaces:
- set "ip tcp adjust-mss 1390"
- enable PMTUD and make sure "ip unreachables" option is activated (AFAIK, it is by default)
- leave MTU by default
for WAN interfaces:
- do nothing (which means PMTUD is disabled, MSS and MTU by default)
for tunnel interfaces:
- do nothing.
Please help me to clarify the question, because I can not handle the information I read, I am feeling giddy...
P.S. Why I am thinking of PMTUD together with MSS adjustment? - Because MSS works for TCP traffic only...
The answer to the recent question is straightforward. The sending of the unreachable (fragmentation required but DF set) is a standard behavior. This is used by PMTUD, but its operation is quite independent of whether PMTUD is enabled or not.
(and in fact no one other than the local router knows whether PMTUD is enabled or not)