MTU + IPSec VPN

howler · 6 Apr 2009 at 17:34

I have been testing my optimal MTU size because of some strange issues I have been having.

It would seem that the best size it 1472, that is the highest number it does not need to fragment the packets at

I believe that IP/ICMP needs another 28 bytes added on, thereby making my MTU 1500 which is the default on the firewall

Do I need to manually bring my MTU down because of the extra IPSEC info in the packets?

I might be talking total garbage here though!

Phal · 6 Apr 2009 at 17:35

Optimal MTUs also seem to vary between ISPs :/

howler · 7 Apr 2009 at 09:06

Phal said:
Optimal MTUs also seem to vary between ISPs :/

All our connections are on the same ISP and by doing a ping test that would tell me the correct MTU?

Phal · 7 Apr 2009 at 14:41

Been a while since I looked into this :/ but finding out a good MTU size on your own was a pain in the azz when someone showed me!

Best bet is to enquire with your ISP what MTU they recommend and go from there :/

Bash · 7 Apr 2009 at 16:52

howler said:
Do I need to manually bring my MTU down because of the extra IPSEC info in the packets?

I might be talking total garbage here though!

Yes and no your not.

howler · 7 Apr 2009 at 17:16

Any idea how much by, I was thinking 1400 might be about right? Or is it a case of trial and error?

Vegeta_ie · 7 Apr 2009 at 21:22

howler said:
I have been testing my optimal MTU size because of some strange issues I have been having.

It would seem that the best size it 1472, that is the highest number it does not need to fragment the packets at

I believe that IP/ICMP needs another 28 bytes added on, thereby making my MTU 1500 which is the default on the firewall

Do I need to manually bring my MTU down because of the extra IPSEC info in the packets?

I might be talking total garbage here though!

A standard ping from point A - B using a packet size of anything less than 1500 is very stange, yes different ISPs setup different protocols on their network. They may vary the way the packet is shapped but if you come across an open node unable to accept a packet of 1500 that isnt under capacity stress I would be v surprised.

If you are using IPSec firewall or point to point VPN from one office to another yes I defo would recommend making your MTU down to 1472, thats because the security bits being added to the packets header need to be under 1500 so basically, your raw data (1472) + security (28) = 1500 as you have already stated.

There is not reason to drop your packet size any further to be honest, if there is I would talk to your ISP or ask someone else on the same ISP to run some tests.

The only place you need to set your MTU is on the node that is connected to your ISP. It will take care of the rest for you.
i.e take your firewall set MTU to 1472 and then any security packets or anything that is added onto it will be sorted