4. IPsec advanced settings MSS clamping vs IPsec interface MSS clamping

IPsec advanced settings MSS clamping vs IPsec interface MSS clamping

  • G

    Hello!

    I have a multi-site setup and 2 sites are connected via an IPsec route-based tunnel over the internet (uses the VTI).
    Originally the tunnel used policy-based IPsec tunnel, but ever since I migrated to route-based, the overhead of IPsec is keeping large packets from traversing the tunnel.

    I have now found out all the involved overheads and limits and how to mitigate problems, that I were faced with and one of the solutions is to set MSS in TCP connection handshakes, which forces both ends to send smaller packets. According to pfSense 2.4.4 WebGUI I see 2 ways of doing this.
    One is by setting MSS clamping in IPsec tab Advanced settings and the other is directly on the IPsec interface below the MTU setting.

    I wanted to find out what is the difference between the 2? Which one should I use?

    P.S. I do know that MSS clamping does not affect UDP traffic and large UDP packets would still not be able to traverse the tunnel. I am planning to set MTU on the IPsec interface tab to fix all the problems in one go, which leads me to the next question: Would the MTU setting have any collisions with either of the 2 MSS settings? If not I could set the MTU to 1472 to mitigate UDP problems and set the MSS clamping to 1432 to mitigate TCP problems. I would prefer to set both of these on the interface tab and not use the IPsec configuration option.

    0
    K
     1 Reply
  • K

    @girtsd

    https://forum.netgate.com/topic/145512/ipsec-vti-bgp-mss-clamping-on-vpn-traffic/2

    0
  • G

    Hi @Konstanti
    The linked post only suggests doing it through the interface tab, but didn`t list any differences from the IPsec settings as far as I could see. I wanted to know the difference between the two since I already know the MSS and MTU values my setup requires.

    0
    K
     1 Reply
  • K

    @girtsd

    Hey
    By default, VTI interface has MTU = 1400 (MSS 1360)
    The scrub option in this case looks like this
    scrub on $OPT2 all fragment reassemble
    if you specify MSS ( for example , 1360) in the interface settings , the Scrub option will look like this
    scrub on $OPT1 all max-mss 1320 fragment reassemble

    The MSS clamping tab (IPSec settings) is used to set MSS when creating a classic IPSEC tunnel ( not VTI)
    For example ( MSS clamping = 1390)
    scrub from any to <vpn_networks> max-mss 1390
    scrub from <vpn_networks> to any max-mss 1390

    1
    G
     1 Reply
  • G

    @Konstanti
    Thank you!
    That clears it up!

    I will be using the settings on the IPsec interface tab.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy