Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec advanced settings MSS clamping vs IPsec interface MSS clamping

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      girtsd
      last edited by

      Hello!

      I have a multi-site setup and 2 sites are connected via an IPsec route-based tunnel over the internet (uses the VTI).
      Originally the tunnel used policy-based IPsec tunnel, but ever since I migrated to route-based, the overhead of IPsec is keeping large packets from traversing the tunnel.

      I have now found out all the involved overheads and limits and how to mitigate problems, that I were faced with and one of the solutions is to set MSS in TCP connection handshakes, which forces both ends to send smaller packets. According to pfSense 2.4.4 WebGUI I see 2 ways of doing this.
      One is by setting MSS clamping in IPsec tab Advanced settings and the other is directly on the IPsec interface below the MTU setting.

      I wanted to find out what is the difference between the 2? Which one should I use?

      P.S. I do know that MSS clamping does not affect UDP traffic and large UDP packets would still not be able to traverse the tunnel. I am planning to set MTU on the IPsec interface tab to fix all the problems in one go, which leads me to the next question: Would the MTU setting have any collisions with either of the 2 MSS settings? If not I could set the MTU to 1472 to mitigate UDP problems and set the MSS clamping to 1432 to mitigate TCP problems. I would prefer to set both of these on the interface tab and not use the IPsec configuration option.

      Don`t assume! VERIFY!

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @girtsd
        last edited by

        @girtsd

        https://forum.netgate.com/topic/145512/ipsec-vti-bgp-mss-clamping-on-vpn-traffic/2

        1 Reply Last reply Reply Quote 0
        • G
          girtsd
          last edited by

          Hi @Konstanti
          The linked post only suggests doing it through the interface tab, but didn`t list any differences from the IPsec settings as far as I could see. I wanted to know the difference between the two since I already know the MSS and MTU values my setup requires.

          Don`t assume! VERIFY!

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @girtsd
            last edited by

            @girtsd

            Hey
            By default, VTI interface has MTU = 1400 (MSS 1360)
            The scrub option in this case looks like this
            scrub on $OPT2 all fragment reassemble
            if you specify MSS ( for example , 1360) in the interface settings , the Scrub option will look like this
            scrub on $OPT1 all max-mss 1320 fragment reassemble

            The MSS clamping tab (IPSec settings) is used to set MSS when creating a classic IPSEC tunnel ( not VTI)
            For example ( MSS clamping = 1390)
            scrub from any to <vpn_networks> max-mss 1390
            scrub from <vpn_networks> to any max-mss 1390

            G 1 Reply Last reply Reply Quote 1
            • G
              girtsd @Konstanti
              last edited by

              @Konstanti
              Thank you!
              That clears it up!

              I will be using the settings on the IPsec interface tab.

              Don`t assume! VERIFY!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.