The default MTU size is 1500, however for some networking technologies reducing the MTU size and allowing fragmentation can help.
Set mtu for vpn tunnel serial#
MTU parameters usually appear in association with a communications interface (NIC, serial port, etc.). To minimize post-fragmentation, you can set the MTU in the upstream data path to ensure that most fragmentation occurs before encryption (prefragmentation).
Set mtu for vpn tunnel plus#
If you use ESP plus the IP Authentication Header (AH) protocol, the math works out to 1414 bytes minus the 24-byte CNA GRE header, for a final configured MTU of no more than 1390 bytes. The term MTU (Maximum Transmission Unit) refers to the size (in bytes) of the largest packet that a given layer of a communications protocol can pass onwards. The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. In most cases, you will probably want to leave this parameter set to its default value. To allow for the 24-byte CNA GRE header, the final MTU in your IPsec configuration should be no greater than 1398. Take the TUN device MTU to be n and derive the link MTU from it (default1500). This, plus an adjustment to align on a multiple of 8 bytes, produces an MTU of 1422. If your IPsec system uses ESP plus authentication using MD5 (Message Digest) or SHA-1 (Secure Hash Algorithm), reserve another 12 bytes for the authentication integrity check value. Subtracting from 1500, this produces a data payload of 1438 bytes, but the CNA-configured GRE tunnel takes 24 of those bytes for its own header, leaving you with 1414 bytes for MTU size. This number is derived as follows: the IP packet must contain your IPsec GRE header (24 bytes), the IP tunnel header (20 bytes), the ESP header (8 bytes), the ESP payload initialization vector (8 bytes), and the ESP trailer (2 bytes). You should set the maximum transfer size (MTU) in your IPsec configuration small enough so that total IP packet size, including internal headers plus the CNA GRE tunnel header, will never exceed the IP protocol packet maximum of 1500 bytes.įor example, if your IPsec system uses the Encapsulating Security Payload (ESP) protocol using the DES (Data Encryption Standard) or Triple-DES algorithm with the DF bit set, you should set the MTU to be no greater than 1414 bytes. The DF bit will become encapsulated in your IPsec GRE tunnel’s transport packet, and the GRE tunnel configured on the CNA system will never see it. If you use a GRE tunnel to connect your IPsec source with your remote destination, setting the don’t fragment (DF) bit in the IP datagram header is not enough to ensure transport of whole packets through the GRE tunnel required as part of the CNA VPN configuration.