This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ChoiYunSoo
Contributor
‎2023-03-23 07:43 PM
Jump to solution

I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

Hi

 

I recently made a VPN connection between Check Point and AWS.

The method was Static-Route, and fortunately the tunnel comes up normally and communication is normal.

 

All that remains are detailed settings for tunnel stability, but I have a question about the TCP MSS Clamp setting

The customer previously operated by connecting Cisco equipment and IPsec VPN on a domain basis, and recently connected AWS and VPN with Routed-Base.

In this situation, it is thought that setting the TCP MSS clamp will affect the existing VPN communication as well.

 

So, I am curious about how the above settings affect general traffic other than existing IPSec communication and VPN communication.

If anyone has tried the TCP MSS Clamp setting, please let me know if it has any effect on the service or what I am concerned about.

 

Refer to sk101219 for TCP MSS Clamp setting

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-03-28 02:32 PM
In response to ChoiYunSoo
Jump to solution

Yes, this impacts all VPNs.
The main thing it accomplishes is ensuring IPsec packets aren’t getting fragmented because an application communicating through it is trying to use packets larger than can be accommodated.
Unless an particular system or application is especially poorly behaved, enabling this session should not cause a negative impact.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-03-23 08:14 PM
Jump to solution

If you review sk101219 closely, you'll see there are separate clamping settings for VPN and non-VPN traffic.
Which means that these settings won't affect non-VPN traffic unless you configure it to do so.

The main reason for this feature is to solve the problem described here: https://support.checkpoint.com/results/sk/sk98074
I haven't heard of any issues caused by using this feature, except perhaps through misconfiguration (i.e. forcing a specific MSS value that is problematic). 

0 Kudos
ChoiYunSoo
Contributor
‎2023-03-28 02:41 AM
In response to PhoneBoy
Jump to solution

As you said, I'm trying to change only VPN-related settings.

However, I am concerned that there may be an impact on the existing IPSec VPN

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-28 02:32 PM
In response to ChoiYunSoo
Jump to solution

Yes, this impacts all VPNs.
The main thing it accomplishes is ensuring IPsec packets aren’t getting fragmented because an application communicating through it is trying to use packets larger than can be accommodated.
Unless an particular system or application is especially poorly behaved, enabling this session should not cause a negative impact.

0 Kudos
ChoiYunSoo
Contributor
‎2023-04-02 10:03 PM
In response to PhoneBoy
Jump to solution

Thank you for your reply, it helped me a lot

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-23 11:47 PM
Jump to solution

In general you should be able to determine this for yourself with ping tests and the df-bit set in regards to validating MTU / MSS settings etc.

From tests inside and outside the VPN you should be able to correlate accordingly.

Tools like psping should allow TCP based probes rather than just ICMP also.

 

CCSM R77/R80/ELITE
0 Kudos
ChoiYunSoo
Contributor
‎2023-04-02 10:03 PM
In response to Chris_Atkinson
Jump to solution

thank you for your reply

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events