11-12-2008 04:38 AM
in an environment where I cannot guarantee that pmtud works (firewalls blocking all icmp etc.) how can I make sure large udp packets like snmp replies go through IPsec, GRE and encrypted GRE tunnels?
11-14-2008 03:35 AM
1. Clear the DF bit on the original packets, so they'll be fragmented:
route-map clear-df permit 10
match ip address 101
set ip df 0
interface fa0/0 ! LAN - ingress intf
ip policy route-map clear-df
This should work for all scenarios. IPSec does copy the DF-bit to the outer IP header from the original packet, GRE - doesn't - it sets it to 0 by default.
2. Clear the DF on the original packet, then fragment and ESP-encapsulate it. Then copy the DF-bit to the new IP header (will be 0). Should work for pure IPSec:
interface serial 0/0 ! IPSec intf
crypto ipsec df-bit clear
3. Use this:
int tunnel 0
ip mtu 1400
Should work for IPSec+GRE. The original packet will be fragmented (if it has DF=0) then GRE encapsulated (DF set to 0) then IPSec-encapsulated (DF copied = 0). If the original packet has DF=1 - clear it as per above.
4. Lower the MTU on the client, like Cisco VPN client does.
HTH
11-14-2008 04:56 AM
Thanks for your reply. I already did more or less what you proposed, only I configured the "fragment-befor" option just to make sure the original payload is fragmented, and not the IPsec encapsulated packet. Seems to be a default value, though, as it doesn't turn up in the config.
My concern is to avoid fragmentation completely so as not to reduce my IPsec throughput (hardware instead of CPU processing), but due to the UDP protocol features it seems I cannot avoid it completely.
Thanks a lot for your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide