Home/Support/Support Forum/MTU size IPsec
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

MTU size IPsec

0 votes
I have IPsec between digi transport wr21 and VC7400.

What MTU size should i put on my eth interfaces on both devices?
asked Mar 25, 2019 in Digi TransPort Cellular by iadamovic New to the Community (5 points)

Please log in or register to answer this question.

1 Answer

0 votes
It depends on many factors.
For instance the MTU size of your ISP MTU interface.
What protocols do you use: ESP, ESP+GRE, or you encapsulate all packets to UDP with NAT-T.
Below some calculation with different PDU.
You have to reduce the interface MTU for this amount to avoid the fragmentation:

For Ethernet MTU 1500 byte + ESP only :

Field Bytes
New IPv4 Header (Tunnel Mode) 20
SPI (ESP Header) 4
Sequence (ESP Header) 4
ESP-AES (IV) 16
Original Data Packet 1500
ESP Pad (ESP-AES) 2
Pad length (ESP Trailer) 1
Next Header (ESP Trailer) 1
Total IPSec Packet Size 1548

The same with GRE:
Field Bytes
New IPv4 Header (Tunnel Mode) 20
SPI (ESP Header) 4
Sequence (ESP Header) 4
ESP-AES (IV) 16
New IPv4 Header (GRE) 20
GRE Header 4
Original Data Packet 1500
ESP Pad (ESP-AES) 10
Pad length (ESP Trailer) 1
Next Header (ESP Trailer) 1
Total IPSec Packet Size 1580

With NAT-T encapsulation:

Field Bytes
New IPv4 Header (Tunnel Mode) 20
UDP Header (NAT-T) 8
SPI (ESP Header) 4
Sequence (ESP Header) 4
ESP-AES (IV) 16
Original Data Packet 1500
ESP Pad (ESP-AES) 2
Pad length (ESP Trailer) 1
Next Header (ESP Trailer) 1
Total IPSec Packet Size 1556
answered Mar 17 by nicolaus New to the Community (38 points)
...