Windows IKEv2 MTU
Problem:
How to set MTU on Windows Servers. Windows Server 2012 VPN fragments packets after it applies encryption! This issue causes latency and causes the VPN to disconnect clients -no good!
Background:
The default packet size
is 1500. Now consider how IPsec encryption adds a number
of bytes to the original packet. This
process leads to post-fragmentation conditions. In other words, packets are fragmented after
encryption. This condition degrades or
disrupts VPN performance.
Solution:
Adjust maximum
segment size (MSS) on the outside interface so packet size is less that the
default 1500 MTU.
Packet fragmenting
occurs when a packet is larger than its default MTU. TCP fragments the original data and sends it
avoid encrypted packet. According to
Cisco, ESP overhead adds a maximum of 73 Bytes to each packet. Therefore, we can adjust the MSS to a
conservative 1400.
PowerShell:
Step 1: Identify external interface.
PS
C:\Users\thedude> netsh int ipv4 sh int
Idx Met
MTU State Name
--- ----------
---------- ------------ ---------------------------
1
50 4294967295 connected
Loopback Pseudo-Interface 1
29
30 Default connected
RAS (Dial In) Interface
12
5 1500 connected
Inside
14
5 1500 connected
Outside
Step 2. Modify external interface MSS.
PS
C:\Users\thedude> netsh int ipv4 set subint
"Outside" mtu=1350 store=persistent
Step 3. Confirm MSS:
PS
C:\Users\thedude> netsh int ipv4 sh int
Idx Met
MTU State Name
--- ----------
---------- ------------ ---------------------------
1
50 4294967295 connected
Loopback Pseudo-Interface 1
29
30 Default connected
RAS (Dial In) Interface
12
5 1500 connected
Inside
14
5 1400 connected Outside
That's It!