Create a Post
Showing results for 
Search instead for 
Did you mean: 

Checkpoint dynamic MTU value over IPSEC tunnel

Hi guys,

Please assist me figuring out the following behaviour related with the MTU setup, used by Checkpoint.

Please find attached the general network diagram consisting of:

2x Checkpoint firewalls with 2 external interfaces, eth0 on the Hub, eth1 on the Remote

- eth0, has MTU 1500, and

- eth1 has MTU 1500 and

- IPSEC VPN is configured between 2 gateways, tunnel mode, AES-128 and SHA 256


Please also find the following information retrieved from the Central GW:

[Expert@central:0]# ip r get via dev bond2 src
cache ipid 0x1044 mtu 1500 advmss 1460 hoplimit 64

[Expert@central:0]# ping -s 1410 -c 1
PING ( 1410(1438) bytes of data.
1418 bytes from icmp_seq=1 ttl=64 time=37.8 ms

--- ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

[Expert@central:0]# ping -s 1411 -c 1
PING ( 1411(1439) bytes of data.
From icmp_seq=1 Frag needed and DF set (mtu = 1438)

--- ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms


[Expert@central:0]# ip r get via dev bond2 src
cache expires 595sec ipid 0x1044 mtu 1438 advmss 1460 hoplimit 64

And now are my questions:

1. why central Checkpoint gw computes a new MTU of 1438 when considering sending packets to the remote gw (There is a dynamic decrease of 62 bytes from the static value, defined on the interface eth0).

2. if those 62 bytes represent the IPSEC header, please help me figure out also what is the breakdown structure of IPSEC overhead used by Checkpoint, considering R80.10 version that is used.

Please consider the model offered by other vendor as an example.




0 Kudos
6 Replies
This widget could not be displayed.