https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138482#M21024 <P>Im glad you asked, because I have set it up and also helped customers do it and it does work. Is it recommended, thats whole another story... : - )</P> Fri, 14 Jan 2022 14:43:30 GMT the_rock 2022-01-14T14:43:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138465#M21016 <P>Hi,</P> <P>For a backbone fully supporting jumboframes, have anyone any experience building a site2site vpn utilizing jumboframes ? I would assume it comes down to using VTI interfaces and just setting the MTU there... and ofcourse, onn all other interfaces to.</P> <P>&nbsp;</P> Fri, 14 Jan 2022 12:57:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138465#M21016 vinceneil666 2022-01-14T12:57:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138472#M21019 <P>Thats a KEY thing here...MTU size.</P> Fri, 14 Jan 2022 13:42:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138472#M21019 the_rock 2022-01-14T13:42:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138477#M21021 <P>yeah ...I know... eh ?&nbsp;</P> Fri, 14 Jan 2022 14:15:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138477#M21021 vinceneil666 2022-01-14T14:15:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138478#M21022 <P>Put it this way...higher MTU will simply mean that every packet will carry much more data, BUT, there is way higher possibility that packets will be fragmented, so at the end of the day, its really a question speeds vs reliability/efficiency.</P> Fri, 14 Jan 2022 14:22:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138478#M21022 the_rock 2022-01-14T14:22:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138481#M21023 <P>I know these things <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ... I was simply just wondering if anyone had any experience on setting this up on Check Point. But it will probably be okay just setting the right MTU on all involved interfaces.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 14 Jan 2022 14:41:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138481#M21023 vinceneil666 2022-01-14T14:41:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138482#M21024 <P>Im glad you asked, because I have set it up and also helped customers do it and it does work. Is it recommended, thats whole another story... : - )</P> Fri, 14 Jan 2022 14:43:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138482#M21024 the_rock 2022-01-14T14:43:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138527#M21036 <P>Assuming you have control of every MTU setting in the network path and can set them identically it should work fine.&nbsp; However should any of these MTUs in the path revert to a default or get accidentally lowered you will be severely punished with terrible performance caused by roughly 50% packet loss due to the inability to fragment IPSec.&nbsp; As a proactive step, I'd strongly advise making sure all the firewalls involved will accept an ICMP Destination Unreachable Code 4 (Frag needed) from any source which MIGHT allow you to escape this fate should it occur.</P> Sat, 15 Jan 2022 18:42:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138527#M21036 Timothy_Hall 2022-01-15T18:42:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138605#M21055 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;<BR /><BR />ICMP Destination Unreachable Code 4 (Frag needed). With Jumbo Frames / MTU 9216 in every direction, I suppose there should be an src: any, dst: any rule to allow for this? What services will cover Code 4? Do we have to use "dest-unreach"? It claims to be ICMP type 3 so I suppose it's the correct one?&nbsp;</P> Mon, 17 Jan 2022 10:50:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138605#M21055 RamGuy239 2022-01-17T10:50:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138625#M21061 <P>The existing&nbsp;dest-unreach ICMP service will work, or you could create a more specific one like this:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dufrag.png" style="width: 382px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14919i91D40EBABAE13729/image-size/large?v=v2&amp;px=999" role="button" title="dufrag.png" alt="dufrag.png" /></span></P> <P>&nbsp;</P> Mon, 17 Jan 2022 12:56:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138625#M21061 Timothy_Hall 2022-01-17T12:56:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138630#M21064 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;<BR /><BR />Wonderful!</P> Mon, 17 Jan 2022 13:15:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Jumboframes-on-IPSEC/m-p/138630#M21064 RamGuy239 2022-01-17T13:15:26Z