Specifications
UTT Technologies Chapter 12 VPN
http://www.uttglobal.com Page 226
and if one fragment is lost, the entire original encapsulated packet must be resent, and it
will also be fragmented.
Data fragmentation and reassembly can seriously degrade the system performance,
so it is highly necessary to avoid fragmentation and reassembly in the IPSec switching
path. To solve this problem, the UTT VPN gateway allows you to set the IPSec tunnel
MTU to minimize the fragmentation. If an IP packet exceeds the specified MTU, it will be
fragmented by the original host before transmission.
In the CLI, you can use the set ipsec config/xxx mtu command to set the IPSec tunnel MTU.
The Web UI doesn’t support this function.
The following two examples describe how to calculate IPSec tunnel MTU in the case
of tunnel mode. Figure 12-17 IPSec Packet Format – Static IP/DHCP Internet
Connection illustrates the format of the IPSec packet to be sent over a static IP or DHCP
Internet connection; and Figure 12-18 IPSec Packet Format – PPPoE Internet
Connection illustrates the format of the IPSec packet to be sent over a PPPoE Internet
connection. Therein, the sizes of standard Ethernet MTU and each encapsulation header
are as follows:
Ethernet MTU
1500 Bytes
IP Header
20 Bytes
AH Header
20 Bytes (at most)
ESP Header
40 Bytes (at most)
PPPoE Header
8 Bytes
Figure 12-17 IPSec Packet Format – Static IP/DHCP Internet Connection
Figure 12-18 IPSec Packet Format – PPPoE Internet Connection
Therefore, to avoid fragmentation in the IPSec switching path, the IPSec tunnel MTU
should be smaller or equal to 1420 bytes (1500-20-20-40=1420) when the IPSec packets
are sent over a static IP or DHCP Internet connection (seeFigure 12-17 IPSec Packet
Format – Static IP/DHCP Internet Connection); and it should be smaller or equal to
1412 bytes (1420-8=1412) when the IPSec packets are sent over a PPPoE Internet
connection (see Figure 12-18 IPSec Packet Format – PPPoE Internet Connection).