Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ChoiYunSoo
Contributor
Jump to solution

I am curious about DPD and TCP Clamp settings when connecting to Check Point and AWS IPsec VPN

Hi

 

I recently made a VPN connection between Check Point and AWS.

The method was Static-Route, and fortunately the tunnel comes up normally and communication is normal.

 

All that remains are detailed settings for tunnel stability, but I have a question about the TCP MSS Clamp setting

The customer previously operated by connecting Cisco equipment and IPsec VPN on a domain basis, and recently connected AWS and VPN with Routed-Base.

In this situation, it is thought that setting the TCP MSS clamp will affect the existing VPN communication as well.

 

So, I am curious about how the above settings affect general traffic other than existing IPSec communication and VPN communication.

If anyone has tried the TCP MSS Clamp setting, please let me know if it has any effect on the service or what I am concerned about.

 

Refer to sk101219 for TCP MSS Clamp setting

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Yes, this impacts all VPNs.
The main thing it accomplishes is ensuring IPsec packets aren’t getting fragmented because an application communicating through it is trying to use packets larger than can be accommodated.
Unless an particular system or application is especially poorly behaved, enabling this session should not cause a negative impact.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

If you review sk101219 closely, you'll see there are separate clamping settings for VPN and non-VPN traffic.
Which means that these settings won't affect non-VPN traffic unless you configure it to do so.

The main reason for this feature is to solve the problem described here: https://support.checkpoint.com/results/sk/sk98074
I haven't heard of any issues caused by using this feature, except perhaps through misconfiguration (i.e. forcing a specific MSS value that is problematic). 

0 Kudos
ChoiYunSoo
Contributor

As you said, I'm trying to change only VPN-related settings.

However, I am concerned that there may be an impact on the existing IPSec VPN

0 Kudos
PhoneBoy
Admin
Admin

Yes, this impacts all VPNs.
The main thing it accomplishes is ensuring IPsec packets aren’t getting fragmented because an application communicating through it is trying to use packets larger than can be accommodated.
Unless an particular system or application is especially poorly behaved, enabling this session should not cause a negative impact.

0 Kudos
ChoiYunSoo
Contributor

Thank you for your reply, it helped me a lot

0 Kudos
Chris_Atkinson
Employee Employee
Employee

In general you should be able to determine this for yourself with ping tests and the df-bit set in regards to validating MTU / MSS settings etc.

From tests inside and outside the VPN you should be able to correlate accordingly.

Tools like psping should allow TCP based probes rather than just ICMP also.

 

CCSM R77/R80/ELITE
0 Kudos
ChoiYunSoo
Contributor

thank you for your reply

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events