tag:blogger.com,1999:blog-6696977109054687352.post5948925301937984537..comments2024-01-02T04:24:12.450-06:00Comments on Steven M. Jordan: Windows IKEv2 MTUSteven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6696977109054687352.post-35128630193402005602018-08-16T17:47:37.722-05:002018-08-16T17:47:37.722-05:00It may support it but we don't want it!It may support it but we don't want it! Steven M. Jordanhttps://www.blogger.com/profile/08808713004280066782noreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-67497439313945841172018-08-16T17:40:22.940-05:002018-08-16T17:40:22.940-05:00Most network devices follow the IEEE 802.3 Etherne...Most network devices follow the IEEE 802.3 Ethernet standard. The maximum 1500 byte payload is the same across all network platforms: Windows, Linux, Cisco, Juniper etc. Of course, there are exceptions (e.g., jumbo frames). <br /><br />Also note, you can run simple ping tests to determine whether fragmenting is a problem. For example:<br /><br />ping 192.168.1.1 -f -l 1472<br /><br />The -f switch sets the "don't fragment" flag. The -l switch sets the size of the ICMP payload. Test with IPs from your internal subnets. I recommend you test both sides of the VPN -both local and remote. <br /><br />Why 1472 & not 1500 bytes? It's because the ICMP header uses 8 bytes, and the IP header uses 20 bytes. 1500 -8 -20 = 1472! You should receive a reply from the local VPN gateway. However, the IP on the far end should generate an error, "Packet needs to be fragmented but DF set". This error occurs because of unaccounted overhead from the ESP (up-to an additional 73 bytes). This is the reason we need to adjust the MTU on our VPN server.<br /><br />When you receive a DF error run the test again with a smaller payload (e.g., ping 192.168.1.1 -f -l 1360). Keep testing until you find the sweet-spot and adjust your VPN servers accordingly. Steven M. Jordanhttps://www.blogger.com/profile/08808713004280066782noreply@blogger.com