In my opinion this is the least effective of the 3 approaches. The first one ip mtu 1400 will logically put the layer 3 mtu (not necessarily the physical MTU) at 1400. The 3 commands that you use reflect 3 different ways to try to control fragmentation. Your network will perform much better if the end stations will use a packet size that does not require fragmentation when the packet goes through the network. This is the opposite of what I would expect (and of what I have experienced in setting up IPSec with GRE in various networks). I am very surprised that you say that there were problems when the tunnel MTU was set to 1420 but it worked better when you set the MTU to 1500. Also consider that some applications send the TCP packet with the Do Not Fragment bit set so that the router can not fragment the packet but the packet is too large to go accross the link. So if the end station sends a large packet (say for example 1500 which is the max size for Ethernet) and you add the header information for GRE and the header information for IPSec, there is now a packet much larger than 1500 and it must be fragmented by routers along the path. The end station sends a data packet, the GRE adds additional header information (as it encapsulates the original data packet into the GRE packet) and IPSec adds additional header information.
To answer your question about what causes fragments: Consider what happens when you run IPSec with GRE.
0 kommentar(er)
