Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vinceneil666
Advisor

VPN, Jumboframes on IPSEC

Hi,

For a backbone fully supporting jumboframes, have anyone any experience building a site2site vpn utilizing jumboframes ? I would assume it comes down to using VTI interfaces and just setting the MTU there... and ofcourse, onn all other interfaces to.

 

0 Kudos
9 Replies
the_rock
Champion
Champion

Thats a KEY thing here...MTU size.

0 Kudos
vinceneil666
Advisor

yeah ...I know... eh ? 

0 Kudos
the_rock
Champion
Champion

Put it this way...higher MTU will simply mean that every packet will carry much more data, BUT, there is way higher possibility that packets will be fragmented, so at the end of the day, its really a question speeds vs reliability/efficiency.

0 Kudos
vinceneil666
Advisor

I know these things 🙂 ... I was simply just wondering if anyone had any experience on setting this up on Check Point. But it will probably be okay just setting the right MTU on all involved interfaces.

 

 

0 Kudos
the_rock
Champion
Champion

Im glad you asked, because I have set it up and also helped customers do it and it does work. Is it recommended, thats whole another story... : - )

0 Kudos
Timothy_Hall
Champion
Champion

Assuming you have control of every MTU setting in the network path and can set them identically it should work fine.  However should any of these MTUs in the path revert to a default or get accidentally lowered you will be severely punished with terrible performance caused by roughly 50% packet loss due to the inability to fragment IPSec.  As a proactive step, I'd strongly advise making sure all the firewalls involved will accept an ICMP Destination Unreachable Code 4 (Frag needed) from any source which MIGHT allow you to escape this fate should it occur.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
RamGuy239
Advisor

@Timothy_Hall 

ICMP Destination Unreachable Code 4 (Frag needed). With Jumbo Frames / MTU 9216 in every direction, I suppose there should be an src: any, dst: any rule to allow for this? What services will cover Code 4? Do we have to use "dest-unreach"? It claims to be ICMP type 3 so I suppose it's the correct one? 

0 Kudos
Timothy_Hall
Champion
Champion

The existing dest-unreach ICMP service will work, or you could create a more specific one like this:

dufrag.png

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
RamGuy239
Advisor

@Timothy_Hall 

Wonderful!

0 Kudos