This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vinceneil666
Advisor
‎2022-01-14 04:57 AM

VPN, Jumboframes on IPSEC

Hi,

For a backbone fully supporting jumboframes, have anyone any experience building a site2site vpn utilizing jumboframes ? I would assume it comes down to using VTI interfaces and just setting the MTU there... and ofcourse, onn all other interfaces to.

 

0 Kudos
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-01-14 05:42 AM

Thats a KEY thing here...MTU size.

Best,
Andy
0 Kudos
vinceneil666
Advisor
‎2022-01-14 06:15 AM
In response to the_rock

yeah ...I know... eh ? 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-01-14 06:22 AM
In response to vinceneil666

Put it this way...higher MTU will simply mean that every packet will carry much more data, BUT, there is way higher possibility that packets will be fragmented, so at the end of the day, its really a question speeds vs reliability/efficiency.

Best,
Andy
0 Kudos
vinceneil666
Advisor
‎2022-01-14 06:41 AM
In response to the_rock

I know these things 🙂 ... I was simply just wondering if anyone had any experience on setting this up on Check Point. But it will probably be okay just setting the right MTU on all involved interfaces.

 

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-01-14 06:43 AM
In response to vinceneil666

Im glad you asked, because I have set it up and also helped customers do it and it does work. Is it recommended, thats whole another story... : - )

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-01-15 10:42 AM
In response to vinceneil666

Assuming you have control of every MTU setting in the network path and can set them identically it should work fine.  However should any of these MTUs in the path revert to a default or get accidentally lowered you will be severely punished with terrible performance caused by roughly 50% packet loss due to the inability to fragment IPSec.  As a proactive step, I'd strongly advise making sure all the firewalls involved will accept an ICMP Destination Unreachable Code 4 (Frag needed) from any source which MIGHT allow you to escape this fate should it occur.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
RamGuy239
MVP Silver
MVP Silver
‎2022-01-17 02:50 AM
In response to Timothy_Hall

@Timothy_Hall 

ICMP Destination Unreachable Code 4 (Frag needed). With Jumbo Frames / MTU 9216 in every direction, I suppose there should be an src: any, dst: any rule to allow for this? What services will cover Code 4? Do we have to use "dest-unreach"? It claims to be ICMP type 3 so I suppose it's the correct one? 

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-01-17 04:56 AM
In response to RamGuy239

The existing dest-unreach ICMP service will work, or you could create a more specific one like this:

dufrag.png

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
RamGuy239
MVP Silver
MVP Silver
‎2022-01-17 05:15 AM
In response to Timothy_Hall

@Timothy_Hall 

Wonderful!

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events