Can one influence the max. packet size of ISAKMP packets of the other party when creating site-to-site VPN?
Can one influence the max. packet size of ISAKMP packets of the other party when creating site-to-site VPN just like the analogy when you use "ip tcp adjust-mss" and inform the other party about our max. MSS?
Thing is: I try to establish a cert. based site-to-site VPN and the local ISP's Layer 1/2 devices (of the branch router) are dropping packets (without ICMP notification) larger than 1452 bytes and DF bit set (as ISAKMP set it..). This happens to us: the branch office router don't receive the cert. of the concentrator because it is about 1800 bytes long (fragmented to two 1500+300 bytes packets) and the branch router goes back from MM5 state to Phase 1 because of the MM4 retransmissions. The concentrator has a lot of VPN tunnels so I cannot change anything on that part but I got the idea to somehow influence the packet size from the branch router just like when one configure "ip tcp adjust-mss" and influences the other side of the TCP session to lower the packet size/MSS. The router is a Cisco 3925 with IOS 15.1(2)T5 at the moment.
Yes, it is correct what you wrote but as I mentioned the concentrator is terminating a lot of other sessions so neither the change to IKEv2 nor change anything on the concentrator is possible to me (plus far as I know this is influencing only the side where you configure the command).
This is worth pursuing with the ISP (or switching to IPv6 where you cannot fragment in transit :D).
Alternative, again impacting a wider range, is to decrease the physical MTU, or punt the IKE negotiation traffic (via local policy?) through some path which would cause fragmentation to occur prior to 1500 bytes leaving your environment.
We reported it but the ISP cannot do anything with this.. The problem is not with the packets from the branch but from the concentrator - so the alternative solution to change anything on it is not possible. This is why I am chasing a solution to influence the concentrator somehow from the branch router.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :