- CheckMates
- :
- Products
- :
- General Topics
- :
- set mtu size for ipsec vpn tunnel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set mtu size for ipsec vpn tunnel
our client wants to create a new ipsec tunnel that allows jumbo frame with mtu size of 2000 to the remote site
can it be done?
and is it possible to set the mtu size on that specific tunnel without changing the settings of physical interfaces and other tunnels?
thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No - see sk98074: MTU and Fragmentation Issues in IPsec VPN for details !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't tested this myself. But when using VTI you can set MTU higher than 1500 on the VTI interface. The documentation on this is rather sparse, but I see no reason why it wouldn't work? Unless Check Point Gaia is starting to fragment the traffic when it passes the external interface? But if the ISP is providing a transport supporting Jumbo Frames, one would figure you are able to have Jumbo Frames on the external interface as well.
This is a rather strange thing to do as you don't often have scenarios where you have WAN between locations supporting Jumbo Frames where you would rely on IPsec VPN with Jumbo Frames. If you have a transport path between locations supporting Jumbo Frames, you would normally not have the need for encryption and if you do you would not do it on the firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Step 1 - Does the transport path in between the locations support jumbo frames?