Hi Piotr For GRE based IPSec like DMVPN or GREoIPSec, I don't think there is a concept of transport or tunnel mode. Irrespective of whether you configure transport or not, the IP packet format is same.
Always there are three IP headers - ESP or AH IP header, GRE IP header and Payload IP header. Even when you configure tunnel mode, it has only the above three IP headers. It is always tunnel mode, meaning the original IP header is wrapped in GRE and then into ESP. With regards Kings On Fri, May 21, 2010 at 7:20 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > It depends on many things like: > - what IPSec encryption you use > - do you use ESP alone or ESP with AH > - transport or tunnel mode > > For example in ESP-3DES/ESP-MD5 with transport mode it should look like: > > ESP - 36 > GRE - 24 > IP - 20 > > Hence the router add 80 bytes to the packet. If you use IP MTU 1400 you're > safe. > When you use Tunnel mode you're adding 20 bytes for new IP header. > > > > TCP MSS is for changing TCP header to instruct the server (or host, > whatever) to decrease the payload size. We configure 1360 to accommodate > larger TCP header (by default 20 bytes, but can be larger due to TCP options > like MD5 hash or something). > > HTH, > Piotr > > > > 2010/5/21 Kingsley Charles <[email protected]> > >> Hi all >> >> Usually we configure ip mtu 1400 for DMVPN tunnel interface and there is a >> standard calculation for it. I did it long time ago and trying to see, if I >> am having the right understanding now. >> >> Ethernet MTU - 1500 >> >> IPSec IP header - 20 bytes >> GRE IP header - 20 bytes >> Payload IP header - 20 bytes >> TCP header - 20 bytes >> >> Total of 80 bytes. >> >> 1500 - 80 = 1420 >> >> Including others like ESP header & trailer, GRE header etc, we round it to >> 1400. >> >> Hence, we add ip mtu of 1400 to DMVPN tunnel interface, to avoid >> fragmentation.in between. >> >> Correct me, if I am wrong. >> >> >> >> TCP MSS >> >> >> TCP MSS => IP MTU - TCP header size which is 1400 - 20 = 1380 bytes >> >> We usually configure "tcp adjust-mss 1360". >> >> Any idea why it is 1360 instead of 1380? >> >> >> >> >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
