Re: udp packet size without pmtud

d-heinen · ‎11-12-2008

in an environment where I cannot guarantee that pmtud works (firewalls blocking all icmp etc.) how can I make sure large udp packets like snmp replies go through IPsec, GRE and encrypted GRE tunnels?

ovt · ‎11-14-2008

1. Clear the DF bit on the original packets, so they'll be fragmented:

route-map clear-df permit 10

match ip address 101

set ip df 0

interface fa0/0 ! LAN - ingress intf

ip policy route-map clear-df

This should work for all scenarios. IPSec does copy the DF-bit to the outer IP header from the original packet, GRE - doesn't - it sets it to 0 by default.

2. Clear the DF on the original packet, then fragment and ESP-encapsulate it. Then copy the DF-bit to the new IP header (will be 0). Should work for pure IPSec:

interface serial 0/0 ! IPSec intf

crypto ipsec df-bit clear

3. Use this:

int tunnel 0

ip mtu 1400

Should work for IPSec+GRE. The original packet will be fragmented (if it has DF=0) then GRE encapsulated (DF set to 0) then IPSec-encapsulated (DF copied = 0). If the original packet has DF=1 - clear it as per above.

4. Lower the MTU on the client, like Cisco VPN client does.

HTH

d-heinen · ‎11-14-2008

Thanks for your reply. I already did more or less what you proposed, only I configured the "fragment-befor" option just to make sure the original payload is fragmented, and not the IPsec encapsulated packet. Seems to be a default value, though, as it doesn't turn up in the config.

My concern is to avoid fragmentation completely so as not to reduce my IPsec throughput (hardware instead of CPU processing), but due to the UDP protocol features it seems I cannot avoid it completely.

Thanks a lot for your support.