I run a large global crypto WAN based on Cisco's IPSEC implementation. We've found they do some strange things with MTUs on the tunnel interfaces. The reason this happens is so the packet can contain gre or other encapsulation and encryption information without exceeding the 1500MTU you desire. Typically, the packets travel with a 1500MTU over the IP networks. If the crypto/tunnel device needs to fragment a packet to fit in the frame given the header info, it will do this. As a side note....it seems useful to make sure your border systems are setting the 1500MTU. This may be a good practice for other reasons, but it seems to cut down on confusion when troubleshooting tunnels. Other things to look out for are misconfigured MPLS tunnels in your path. craig Network Engineer Yahoo! Inc. (408)731-3572 Y!Messenger: cholland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mikael Abrahamsson Sent: Thursday, January 11, 2001 9:44 AM To: nanog@merit.edu Subject: IPIP-tunnel with 1500 MTU
I would like to tunnel IP packets over an IP network, and this IP network has 1500 MTU (regular ethernet MTU). In the cisco tunnel (and most others) the tunnel MTU ends up being 1450-something bytes. This is not acceptable, I need something that is able to split the packet up into two packets so that the tunnel MTU will be 1500.
Does anyone know of a product that does this? I do not want any kind of unix/pc solution, everything that consists of PC hardware or has a harddrive is by default ruled out.
-- Mikael Abrahamsson email: swmike@swm.pp.se