IPsec advanced settings MSS clamping vs IPsec interface MSS clamping
I have a multi-site setup and 2 sites are connected via an IPsec route-based tunnel over the internet (uses the VTI).
Originally the tunnel used policy-based IPsec tunnel, but ever since I migrated to route-based, the overhead of IPsec is keeping large packets from traversing the tunnel.
I have now found out all the involved overheads and limits and how to mitigate problems, that I were faced with and one of the solutions is to set MSS in TCP connection handshakes, which forces both ends to send smaller packets. According to pfSense 2.4.4 WebGUI I see 2 ways of doing this.
One is by setting MSS clamping in IPsec tab Advanced settings and the other is directly on the IPsec interface below the MTU setting.
I wanted to find out what is the difference between the 2? Which one should I use?
P.S. I do know that MSS clamping does not affect UDP traffic and large UDP packets would still not be able to traverse the tunnel. I am planning to set MTU on the IPsec interface tab to fix all the problems in one go, which leads me to the next question: Would the MTU setting have any collisions with either of the 2 MSS settings? If not I could set the MTU to 1472 to mitigate UDP problems and set the MSS clamping to 1432 to mitigate TCP problems. I would prefer to set both of these on the interface tab and not use the IPsec configuration option.
The linked post only suggests doing it through the interface tab, but didn`t list any differences from the IPsec settings as far as I could see. I wanted to know the difference between the two since I already know the MSS and MTU values my setup requires.
By default, VTI interface has MTU = 1400 (MSS 1360)
The scrub option in this case looks like this
scrub on $OPT2 all fragment reassemble
if you specify MSS ( for example , 1360) in the interface settings , the Scrub option will look like this
scrub on $OPT1 all max-mss 1320 fragment reassemble
The MSS clamping tab (IPSec settings) is used to set MSS when creating a classic IPSEC tunnel ( not VTI)
For example ( MSS clamping = 1390)
scrub from any to <vpn_networks> max-mss 1390
scrub from <vpn_networks> to any max-mss 1390
That clears it up!
I will be using the settings on the IPsec interface tab.