topic Re: I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN in Firewall and Security Management

I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

ChoiYunSoo — Fri, 24 Mar 2023 02:43:40 GMT

I recently made a VPN connection between Check Point and AWS.

The method was Static-Route, and fortunately the tunnel comes up normally and communication is normal.

All that remains are detailed settings for tunnel stability, but I have a question about the TCP MSS Clamp setting

The customer previously operated by connecting Cisco equipment and IPsec VPN on a domain basis, and recently connected AWS and VPN with Routed-Base.

In this situation, it is thought that setting the TCP MSS clamp will affect the existing VPN communication as well.

So, I am curious about how the above settings affect general traffic other than existing IPSec communication and VPN communication.

If anyone has tried the TCP MSS Clamp setting, please let me know if it has any effect on the service or what I am concerned about.

Refer to sk101219 for TCP MSS Clamp setting

Re: I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

PhoneBoy — Fri, 24 Mar 2023 03:14:13 GMT

If you review sk101219 closely, you'll see there are separate clamping settings for VPN and non-VPN traffic.
Which means that these settings won't affect non-VPN traffic unless you configure it to do so.

The main reason for this feature is to solve the problem described here: https://support.checkpoint.com/results/sk/sk98074
I haven't heard of any issues caused by using this feature, except perhaps through misconfiguration (i.e. forcing a specific MSS value that is problematic).

Re: I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

Chris_Atkinson — Fri, 24 Mar 2023 06:49:52 GMT

In general you should be able to determine this for yourself with ping tests and the df-bit set in regards to validating MTU / MSS settings etc.

From tests inside and outside the VPN you should be able to correlate accordingly.

Tools like psping should allow TCP based probes rather than just ICMP also.

Re: I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

ChoiYunSoo — Tue, 28 Mar 2023 09:41:25 GMT

As you said, I'm trying to change only VPN-related settings.

However, I am concerned that there may be an impact on the existing IPSec VPN

Re: I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

PhoneBoy — Tue, 28 Mar 2023 21:32:11 GMT

Yes, this impacts all VPNs.
The main thing it accomplishes is ensuring IPsec packets aren’t getting fragmented because an application communicating through it is trying to use packets larger than can be accommodated.
Unless an particular system or application is especially poorly behaved, enabling this session should not cause a negative impact.

Re: I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

ChoiYunSoo — Mon, 03 Apr 2023 05:03:39 GMT

Thank you for your reply, it helped me a lot

Re: I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

ChoiYunSoo — Mon, 03 Apr 2023 05:03:55 GMT

thank you for your reply