ScreenOS Firewalls (NOT SRX)
Reply
Trusted Contributor
ttl_expired
Posts: 440
Registered: ‎11-11-2008
0

Optimizing MTU for IPsec

Hi all,

 

 

       I heard that there was a program that would test your link and allow you to properly set your MTU for you IPsec vpn's in order to avoid fragmenting packets.  Does anyone know what this program is how one could test to optimize MTU sizes?

 

Thanks

 

 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Optimizing MTU for IPsec

Hi there

 

I think if you really want a free tool to test the BW, you can try googling for "iperf".

 

But for the VPN issue, it really depends on the type of vpn configuration you are setting. Based on the encrytion, there is a specific amount of over head we will need to add for the IPSEC header.

 

With that, you can pretty much calculate the MTU size you should set. In most cases, many customers have tried with 1350 or 1300. With those in general even with vpn overheads there will still be almost no fragmentation.

 

Hope this helps.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
shashlik
Posts: 70
Registered: ‎02-20-2008
0

Re: Optimizing MTU for IPsec

You can also use windows cmd prompt.  Ping across the vpn but with DF bit set (-f), then specify the size with -l:

 

     ping 1.1.1.1 -f -l 1300

 

The size you specify here is the ICMP payload size, so

 

1300 bytes  ICMP payload

      8 bytes  ICMP header

    20 bytes  IP header

--------------  -------------------

1328 bytes  Total (MTU).

 

 

Juniper firewalls calculate MTU based on total length specified in IP header.

 

 

You can use "get sa stat" on the firewall to see if there are any fragments sent/received.

 

Regards,

 

Contributor
hagbard
Posts: 61
Registered: ‎10-29-2008

Re: Optimizing MTU for IPsec

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.