Windows IKEv2 MTU


Problem:

How to set MTU on Windows Servers.  Windows Server 2012 VPN fragments packets after it applies encryption!  This issue causes latency and causes the VPN to disconnect clients -no good!

Background:

The default packet size is 1500.  Now consider how IPsec encryption adds a number of bytes to the original packet.  This process leads to post-fragmentation conditions.  In other words, packets are fragmented after encryption.  This condition degrades or disrupts VPN performance. 

Solution:

Adjust maximum segment size (MSS) on the outside interface so packet size is less that the default 1500 MTU.

Packet fragmenting occurs when a packet is larger than its default MTU.  TCP fragments the original data and sends it avoid encrypted packet.  According to Cisco, ESP overhead adds a maximum of 73 Bytes to each packet.  Therefore, we can adjust the MSS to a conservative 1400.

PowerShell:


Step 1:  Identify external interface.


PS C:\Users\thedude> netsh int ipv4 sh int

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 29          30     Default  connected     RAS (Dial In) Interface
 12           5        1500  connected     Inside
 14           5        1500  connected     Outside

Step 2.  Modify external interface MSS.

PS C:\Users\thedude> netsh int ipv4 set subint "Outside" mtu=1350 store=persistent


Step 3.  Confirm MSS:
PS C:\Users\thedude> netsh int ipv4 sh int

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 29          30     Default  connected     RAS (Dial In) Interface
 12           5        1500  connected     Inside


 14           5        1400  connected     Outside

That's It!

References:



5 Comments

  1. Hi Steven, does this still apply to Server 2012R2 and 2016?

    ReplyDelete
  2. Finally found it! W10 1803 and W2016 onwards support IKE Fragmentation
    https://msdn.microsoft.com/en-us/library/cc233476.aspx

    ReplyDelete
  3. previous was slightly wrong, W10 and Windows 2016 with V1803

    ReplyDelete
  4. Most network devices follow the IEEE 802.3 Ethernet standard. The maximum 1500 byte payload is the same across all network platforms: Windows, Linux, Cisco, Juniper etc. Of course, there are exceptions (e.g., jumbo frames).

    Also note, you can run simple ping tests to determine whether fragmenting is a problem. For example:

    ping 192.168.1.1 -f -l 1472

    The -f switch sets the "don't fragment" flag. The -l switch sets the size of the ICMP payload. Test with IPs from your internal subnets. I recommend you test both sides of the VPN -both local and remote.

    Why 1472 & not 1500 bytes? It's because the ICMP header uses 8 bytes, and the IP header uses 20 bytes. 1500 -8 -20 = 1472! You should receive a reply from the local VPN gateway. However, the IP on the far end should generate an error, "Packet needs to be fragmented but DF set". This error occurs because of unaccounted overhead from the ESP (up-to an additional 73 bytes). This is the reason we need to adjust the MTU on our VPN server.

    When you receive a DF error run the test again with a smaller payload (e.g., ping 192.168.1.1 -f -l 1360). Keep testing until you find the sweet-spot and adjust your VPN servers accordingly.

    ReplyDelete

My Instagram