Hi guys,

Please assist me figuring out the following behaviour related with the MTU setup, used by Checkpoint.

Please find attached the general network diagram consisting of:

2x Checkpoint firewalls with 2 external interfaces, eth0 on the Hub, eth1 on the Remote

- eth0, has MTU 1500, and 10.0.0.1

- eth1 has MTU 1500 and 11.0.0.1

- IPSEC VPN is configured between 2 gateways, tunnel mode, AES-128 and SHA 256

Please also find the following information retrieved from the Central GW:

[Expert@central:0]# ip r get 11.0.0.1
11.0.0.1 via 10.0.0.2 dev bond2 src 10.0.0.1
cache ipid 0x1044 mtu 1500 advmss 1460 hoplimit 64

[Expert@central:0]# ping 11.0.0.1 -s 1410 -c 1
PING 11.0.0.1 (11.0.0.1) 1410(1438) bytes of data.
1418 bytes from 11.0.0.1: icmp_seq=1 ttl=64 time=37.8 ms

--- 11.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

[Expert@central:0]# ping 11.0.0.1 -s 1411 -c 1
PING 11.0.0.1 (11.0.0.1) 1411(1439) bytes of data.
From 11.0.0.1 icmp_seq=1 Frag needed and DF set (mtu = 1438)

--- 11.0.0.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

[Expert@central:0]# ip r get 11.0.0.1
11.0.0.1 via 10.0.0.2 dev bond2 src 10.0.0.1
cache expires 595sec ipid 0x1044 mtu 1438 advmss 1460 hoplimit 64

And now are my questions:

1. why central Checkpoint gw computes a new MTU of 1438 when considering sending packets to the remote gw 11.0.0.1? (There is a dynamic decrease of 62 bytes from the static value, defined on the interface eth0).

2. if those 62 bytes represent the IPSEC header, please help me figure out also what is the breakdown structure of IPSEC overhead used by Checkpoint, considering R80.10 version that is used.

Please consider the model offered by other vendor as an example.

https://cway.cisco.com/ipsec-overhead-calculator/

Regards,

Cristian