IPsec advanced settings MSS clamping vs IPsec interface MSS clamping

  • Hello!

    I have a multi-site setup and 2 sites are connected via an IPsec route-based tunnel over the internet (uses the VTI).
    Originally the tunnel used policy-based IPsec tunnel, but ever since I migrated to route-based, the overhead of IPsec is keeping large packets from traversing the tunnel.

    I have now found out all the involved overheads and limits and how to mitigate problems, that I were faced with and one of the solutions is to set MSS in TCP connection handshakes, which forces both ends to send smaller packets. According to pfSense 2.4.4 WebGUI I see 2 ways of doing this.
    One is by setting MSS clamping in IPsec tab Advanced settings and the other is directly on the IPsec interface below the MTU setting.

    I wanted to find out what is the difference between the 2? Which one should I use?

    P.S. I do know that MSS clamping does not affect UDP traffic and large UDP packets would still not be able to traverse the tunnel. I am planning to set MTU on the IPsec interface tab to fix all the problems in one go, which leads me to the next question: Would the MTU setting have any collisions with either of the 2 MSS settings? If not I could set the MTU to 1472 to mitigate UDP problems and set the MSS clamping to 1432 to mitigate TCP problems. I would prefer to set both of these on the interface tab and not use the IPsec configuration option.

  • Hi @Konstanti
    The linked post only suggests doing it through the interface tab, but didn`t list any differences from the IPsec settings as far as I could see. I wanted to know the difference between the two since I already know the MSS and MTU values my setup requires.

  • @girtsd

    By default, VTI interface has MTU = 1400 (MSS 1360)
    The scrub option in this case looks like this
    scrub on $OPT2 all fragment reassemble
    if you specify MSS ( for example , 1360) in the interface settings , the Scrub option will look like this
    scrub on $OPT1 all max-mss 1320 fragment reassemble

    The MSS clamping tab (IPSec settings) is used to set MSS when creating a classic IPSEC tunnel ( not VTI)
    For example ( MSS clamping = 1390)
    scrub from any to <vpn_networks> max-mss 1390
    scrub from <vpn_networks> to any max-mss 1390

  • @Konstanti
    Thank you!
    That clears it up!

    I will be using the settings on the IPsec interface tab.

Log in to reply