SRX Services Gateway
Highlighted
SRX Services Gateway

IPsec

[ Edited ]
‎06-11-2019 09:42 PM

Hi all,

The current conf has a statement of  "set sec flo tc-ms all-tcp mss 1430. But I want to assign a more specific tcpmss value for the IPsec traffic on the srx device, so I will use "set sec flo tc-mss ipsec-vpn mss <value>". In this case what should I do with ""set security flow tcp-mss all-tcp mss 1430". Should I leave what it is.... Or  must it be removed from before assigning a tcpmss value for the ipsec-vpn traffic. Or does it no matter to use both? Or which one overrides? What is best practice when having both IPsec traffic and non-IPsec traffic on the same srx box?

 

Thx

Ar

 

2 REPLIES 2
SRX Services Gateway

Re: IPsec

‎06-11-2019 09:58 PM
If all the four TCP MSS options are configured simultaneously, then the order of preference is as follows:

If TCP packet enters an IPsec VPN tunnel, then an ipsec-vpn mss value has high priority over all-tcp mss value, hence ipsec-vpn mss value is set.

If TCP packet enters GRE , then gre-in mss value overrides all-tcp mss value, hence gre-in mss value is set.

If TCP packet exits GRE, then all-tcp mss value overrides gre-in mss value, hence all-tcp mss value is set.
Reference: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-...


Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: IPsec

‎06-11-2019 11:52 PM
If all the four TCP MSS options are configured simultaneously, then the order of preference is as follows:

* If TCP packet enters an IPsec VPN tunnel, then an ipsec-vpn mss value has high priority over all-tcp mss value, hence ipsec-vpn mss value is set.
Ref:
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-...
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too