MTU, Another IPSEC question, Sorry.

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ed001, Oct 9, 2006.

  1. ed001

    ed001 Network Guru Member

    I was reading someone elses post regarding MTU and although it didn't relate directly to me it got me thinking.
    I have a couple of servers at one location and a couple of remote sites using IPSEC tunnels to the site where the servers are. As I understand it the MTU setting in the router should be set (dependant on the service type) to 1500 in order to work optimally with both the Cable and DSL providers. My question is should I reset my servers and clients (mostly MS boxes) to 1492 to limit traffic and packet loss? I guess the larger question is... are the routers breaking the packets sent from the client/server into two in order to apply the IPSEC overhead?
    Thanks in advance.
  2. pablito

    pablito Network Guru Member

    You shouldn't have to change MTU on the devices connected. The MTU you are changing is on the WAN side and your internal machines are on the LAN side, two different interfaces. LAN is almost always kept at 1500.
  3. Toxic

    Toxic Administrator Staff Member

    yes afaik they do allow for IPSec MTUs

    if you enable Telnet on the RV0xx series you'll see IPSec Interfaces on each WAN when using ifconfig command.

  4. ed001

    ed001 Network Guru Member

    still a little confused.

    Thank you for your responses but I still have some questions. Maybe I am just missing the mechanics of IPSEC:

    As your configuration post above shows the tunnels are setting the MTU to 1440 suggesting 60b needed for IPSEC which nets 1500 to match the cable/DSL (WAN) MTU. If I try to send a 1500b packet from my server to the router for encapsulation and transmission to the endpoint and client at another location won't the router have to fragment the packet into 2 in order to make it/them less than 1440 to be able to apply IPSEC encapsulation (which appears to be 60b) and meet the max 1500 that can traverse the internet via DSL/Cable?
    If so, given that fragmentation can cause packet loss and latency, won't I see some performance improvement when sending large packets across the tunnel by setting my client and server operating system's MTU to 1440? This way the router receives a packet equal to or less than 1440 and won't have to fragment it in order to encapsulate and send the data.
  5. Toxic

    Toxic Administrator Staff Member

    if you set the client and server to 1440 then ALL traffic not bound by the tunnel will be affected as well however and 1500 maybe a better throughput for the other data.

    I doubt the performance gain would be that great tbh. however there is speed improvement in the type of encrytpion used.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice