MTU & MSS adjust on GRE over IPsec over HSPA network
We need to figure out what's the best config for an VPN network running on the latest Bell Canada's HSPA cellular Network. Technical folks at Bell tolds us the best MTU to use over their HSPA network is 1476.
Correct me if i'm wrong:
HSPA's ISP recommanded MTU - IPsec payload - GRE payload = what we need to configure on our MSS ajust commands and on the Tunnel Interface.
That would be 1476 (HSPA) - 58 (IPsec) - 24 (GRE) = 1394
On our Ethernet interface facing the HSPA modem: MTU should be 1476
Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-
So the NIC MTU = 1500, take away 20 bytes for the TCP header, advertise a MSS of 1460.
When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.
So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption... but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!
If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl be 1480! not what you are looking for.
So to be safe I always do the following:-
20 Bytes for IP header 20 Bytes for TCP header 28 Bytes for GRE encapsulation 56 Bytes for IPSEC So far = 1356.
I always calculate an extra if I am dealing with VOIP:-
12 Bytes for RTP
All totaled = 1344
I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...