Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
2
Replies

How the PMTUD works on an IPSEC tunnel?

jerebb
Level 1
Level 1

‎12-30-2002 04:32 AM - edited ‎02-21-2020 12:15 PM

As I read PMTUD is only works with TCP (especially TCP SYN) packets, but IPSEC uses UDP 500 and 50, 51 IP protocols.

What is the procedure how PMTUD works on the IPSEC tunnel?.

Labels:
0 Helpful
2 Replies 2

mclach
Level 1
Level 1

‎12-30-2002 05:32 AM

It is true PMTUD is for TCP packets but also for some tunnel protocols such as IPSec, GRE etc. PMTUD is defined in RFC 1191.

It is important to remember what PMTUD is for, it's purpose is to measure the smallest MTU on the path and then the originator will then send datagrams smaller. PMTUD is a very important way of avoiding fragmentation and as we all know fragmentation can be the cause of increased packet loss rate and increased CPU.

Now to answer how does IPSec and PMTUD work together?

IPSec encapulation will copy the DF bit to the external header, then IPSec will keep track of the path MTU of the tunnel.

Some further information is all available on CCO, but here is one good reference:

http://www.cisco.com/warp/public/105/pmtud_ipfrag.html

R/Catherine

0 Helpful

jerebb
Level 1
Level 1
In response to mclach

‎12-30-2002 07:53 AM

Can you explain that what is used except the TCP SYN packets to adjust the MTU size in IPSEC?

Do you have any information that PIX has got this PMTUD feature?

Thanks in advance

0 Helpful
Customers Also Viewed These Support Documents