Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 3 subscribers
  • Views 5622 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MTU Size (physical, IP, TCP, IPSec)

BeEf

Hi,

I am wondering whether my IPSec is configured correctly and how to handle the MTU Size on different Layers (physical, IP, TCP, IPSec).

 

Maybe somebody can add some clarity:

Doing a ping <host> -f -l 1410 leaves my packets unfragmented from both sides of a VPN Tunnel. Bigger packets need to be fragmented.

When I ping 8.8.8.8 (google DNS) the biggest size that is unfragmented is 1472 (on the computers on both sides).

The MTU of the physical WAN interface of the firewall on the remote side (Sophos SG 135) is 1500. On the other side Fortigate 100D the default MTU of the pysical interface is 1500 (http://kb.fortinet.com/kb/documentLink.do?externalID=11745).

According to wireshark (during a filetransfer through the tunnel) the lenght of an IP packet in the tunnel is 1438 (1410=1428-28) and the payload of the TCP Packet is 1398 bytes. There is also the don't fragment bit set on the IP level.

 

Is this setup correct (which I assume) or what needs to be changed?

 

Best regards,

Bernd

 



This thread was automatically locked due to age.
Unfiltered HTML