This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flwsterN
Contributor
‎2025-06-11 01:23 PM
Jump to solution

lowering mtu on remote access vpn?

Hello i was wondering if its possible to lower the mtu on the remote access client endpoint vpn or the gw?

In my homelab i have built this MPLS network (in the cloud) that  is the connection between my home + and summer house. It runs wireguard + gre in the bottom so the maximum mtu of a packet cannot go over 1380 mtu and with ipsec on top of that i think the mtu has to go down to like 1280-1300 on that ipsec tunnel is it possible to configure that on a Checkpoint? Cant find anything on it.

Best regards,

BW

Preview file
289 KB
0 Kudos
1 Solution

Accepted Solutions
flwsterN
Contributor
‎2025-06-13 02:53 PM
In response to the_rock
Jump to solution

Hello sorry late reply it seemed it was never a mtu problem (im doing mtu mss outside checkpoint) i had to open up ports 500 and 4500 but its wierd it always worked from my iphone which also says its using ipsec. Or does the iphone do it over 443?

Everything works fine now doing ipsec on top of wireguard + gre 🙂 however im just thinking of route leak ipsec traffic outside wireguard between the sites. 

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2025-06-11 03:11 PM
Jump to solution

You can adjust the MTU of VPN traffic by setting the MSS size for VPN traffic.
See: https://support.checkpoint.com/results/sk/sk101219 

the_rock
Legend
Legend
‎2025-06-11 03:24 PM
Jump to solution

You can change MTU on relevant interface from clich -> set interface ethxx mtu and then whatever size needed.

Then save config to save the setting.

Andy

0 Kudos
flwsterN
Contributor
‎2025-06-13 02:49 PM
In response to the_rock
Jump to solution

Hello sorry late reply it seemed it was never a mtu problem (im doing mtu mss outside checkpoint) i had to open up ports 500 and 4500 but its wierd it always worked from my iphone which also says its using ipsec. Or does the iphone do it over 443?

Everything works fine now doing ipsec on top of wireguard + gre 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-16 07:54 AM
In response to flwsterN
Jump to solution

Our VPN clients require a connection over HTTPS (TCP/443) to start the connection.
In some cases, this will also be used for the actual VPN transport (so called "Visitor Mode").

0 Kudos
the_rock
Legend
Legend
‎2025-06-13 10:05 AM
Jump to solution

Hey @flwsterN 

Any luck with this?

Andy

0 Kudos
flwsterN
Contributor
‎2025-06-13 02:53 PM
In response to the_rock
Jump to solution

Hello sorry late reply it seemed it was never a mtu problem (im doing mtu mss outside checkpoint) i had to open up ports 500 and 4500 but its wierd it always worked from my iphone which also says its using ipsec. Or does the iphone do it over 443?

Everything works fine now doing ipsec on top of wireguard + gre 🙂 however im just thinking of route leak ipsec traffic outside wireguard between the sites. 

the_rock
Legend
Legend
‎2025-06-13 03:08 PM
In response to flwsterN
Jump to solution

Port 443 is always needed for remote access. Check out below post about it.

Andy

https://community.checkpoint.com/t5/Remote-Access-VPN/Remote-access-without-visitor-mode-enabled/td-...

0 Kudos
flwsterN
Contributor
‎2025-06-13 03:17 PM
In response to the_rock
Jump to solution

Yes but why is it working without opening 4500/500 when coming from Iphone vs mac/windows?

0 Kudos
the_rock
Legend
Legend
‎2025-06-13 03:35 PM
In response to flwsterN
Jump to solution

I believe iphone would need only udp port 500, not udp 4500.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events