Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cp0102
Explorer

set mtu size for ipsec vpn tunnel

our client wants to create a new ipsec tunnel that allows jumbo frame with mtu size of 2000 to the remote site

can it be done?

and is it possible to set the mtu size on that specific tunnel without changing the settings of physical interfaces and other tunnels?

thank you

0 Kudos
3 Replies
G_W_Albrecht
Legend
Legend

No - see sk98074: MTU and Fragmentation Issues in IPsec VPN for details !

CCSE CCTE CCSM SMB Specialist
0 Kudos
RamGuy239
Advisor
Advisor

I haven't tested this myself. But when using VTI you can set MTU higher than 1500 on the VTI interface. The documentation on this is rather sparse, but I see no reason why it wouldn't work? Unless Check Point Gaia is starting to fragment the traffic when it passes the external interface? But if the ISP is providing a transport supporting Jumbo Frames, one would figure you are able to have Jumbo Frames on the external interface as well.

This is a rather strange thing to do as you don't often have scenarios where you have WAN between locations supporting Jumbo Frames where you would rely on IPsec VPN with Jumbo Frames. If you have a transport path between locations supporting Jumbo Frames, you would normally not have the need for encryption and if you do you would not do it on the firewall.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Step 1 - Does the transport path in between the locations support jumbo frames?

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events