Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Risks To Enabling MSS Clamping on IPSec?

    Scheduled Pinned Locked Moved
    IPsec
    1
    1
    265
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • planedropP
      planedrop
      last edited by

      Apologies if this is straightforward but I wanted to get some more details before making any changes and MSS Clamping is an area I'm not 100% confident in.

      So, I don't have Maximum MSS enabled on my IPSec settings for a VPN that moves quite a lot of large frame traffic. I did some pcaps and I am seeing fragmentation on the WAN side, though performance is still fine so I may not even go down the "rabbit hole" of "fixing" this as I'm still seeing 100s of megabits per second of throughput.

      Anyway, the packets are a bit too large to fit in a standard MTU length, so I was thinking maybe I'd see even more performance if I went ahead and set the Maximum MSS to be 1400 for IPSec.

      Are there risks to enabling this? This setup has a lot of existing VPNs that I would hate to break even if only temporarily.

      Additionally, I don't think I'm totally understanding the below:

      • How does MSS Clamping really work in this situation? Do the clients on one end need to adjust their packet size or? I guess I'm just not sure how a router can set MSS clamping and not break everything internally.
      • What about PMTUD? Isn't this supposed to handle fragmentation detection and MTU adjustments? Both ends of this VPN are pfSense
      1 Reply Last reply Reply Quote 0
      • First post
        Last post