ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Optimizing MTU for IPsec

12.11.08   |  
‎12-11-2008 05:51 PM

Hi all,

 

 

       I heard that there was a program that would test your link and allow you to properly set your MTU for you IPsec vpn's in order to avoid fragmenting packets.  Does anyone know what this program is how one could test to optimize MTU sizes?

 

Thanks

 

 

3 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Optimizing MTU for IPsec

12.11.08   |  
‎12-11-2008 07:29 PM

Hi there

 

I think if you really want a free tool to test the BW, you can try googling for "iperf".

 

But for the VPN issue, it really depends on the type of vpn configuration you are setting. Based on the encrytion, there is a specific amount of over head we will need to add for the IPSEC header.

 

With that, you can pretty much calculate the MTU size you should set. In most cases, many customers have tried with 1350 or 1300. With those in general even with vpn overheads there will still be almost no fragmentation.

 

Hope this helps.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
ScreenOS Firewalls (NOT SRX)

Re: Optimizing MTU for IPsec

12.11.08   |  
‎12-11-2008 10:48 PM

You can also use windows cmd prompt.  Ping across the vpn but with DF bit set (-f), then specify the size with -l:

 

     ping 1.1.1.1 -f -l 1300

 

The size you specify here is the ICMP payload size, so

 

1300 bytes  ICMP payload

      8 bytes  ICMP header

    20 bytes  IP header

--------------  -------------------

1328 bytes  Total (MTU).

 

 

Juniper firewalls calculate MTU based on total length specified in IP header.

 

 

You can use "get sa stat" on the firewall to see if there are any fragments sent/received.

 

Regards,

 

ScreenOS Firewalls (NOT SRX)

Re: Optimizing MTU for IPsec

12.14.08   |  
‎12-14-2008 01:02 PM