RE: IPIP-tunnel with 1500 MTU

["Craig Holland" <cholland () yahoo-inc com>]

I run a large global crypto WAN based on Cisco's IPSEC implementation.
We've found they do some strange things with MTUs on the tunnel interfaces.
The reason this happens is so the packet can contain gre or other
encapsulation and encryption information without exceeding the 1500MTU you
desire.  Typically, the packets travel with a 1500MTU over the IP networks.
If the crypto/tunnel device needs to fragment a packet to fit in the frame
given the header info, it will do this.

As a side note....it seems useful to make sure your border systems are
setting the 1500MTU.  This may be a good practice for other reasons, but it
seems to cut down on confusion when troubleshooting tunnels.  Other things
to look out for are misconfigured MPLS tunnels in your path.


craig

Network Engineer
Yahoo! Inc.
(408)731-3572
Y!Messenger: cholland

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
> Mikael Abrahamsson
> Sent: Thursday, January 11, 2001 9:44 AM
> To: nanog () merit edu
> Subject: IPIP-tunnel with 1500 MTU
>
>
>
>
> I would like to tunnel IP packets over an IP network, and this IP network
> has 1500 MTU (regular ethernet MTU). In the cisco tunnel (and most others)
> the tunnel MTU ends up being 1450-something bytes. This is not acceptable,
> I need something that is able to split the packet up into two packets so
> that the tunnel MTU will be 1500.
>
> Does anyone know of a product that does this? I do not want any kind of
> unix/pc solution, everything that consists of PC hardware or has a
> harddrive is by default ruled out.
>
> --
> Mikael Abrahamsson    email: swmike () swm pp se