1. Clear the DF bit on the original packets, so they'll be fragmented:
route-map clear-df permit 10
match ip address 101
set ip df 0
interface fa0/0 ! LAN - ingress intf
ip policy route-map clear-df
This should work for all scenarios. IPSec does copy the DF-bit to the outer IP header from the original packet, GRE - doesn't - it sets it to 0 by default.
2. Clear the DF on the original packet, then fragment and ESP-encapsulate it. Then copy the DF-bit to the new IP header (will be 0). Should work for pure IPSec:
interface serial 0/0 ! IPSec intf
crypto ipsec df-bit clear
3. Use this:
int tunnel 0
ip mtu 1400
Should work for IPSec+GRE. The original packet will be fragmented (if it has DF=0) then GRE encapsulated (DF set to 0) then IPSec-encapsulated (DF copied = 0). If the original packet has DF=1 - clear it as per above.
4. Lower the MTU on the client, like Cisco VPN client does.
Thanks for your reply. I already did more or less what you proposed, only I configured the "fragment-befor" option just to make sure the original payload is fragmented, and not the IPsec encapsulated packet. Seems to be a default value, though, as it doesn't turn up in the config.
My concern is to avoid fragmentation completely so as not to reduce my IPsec throughput (hardware instead of CPU processing), but due to the UDP protocol features it seems I cannot avoid it completely.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...