Hi Kings, I must disagree. You can configure Tunnel or Transport mode under the IPSec transform set and use it for DMVPN or GREoIPSec deployments. Although, there is no difference in outer IP header (an interface tunnel IP addresses are there in both cases) the ESP packet is different in size due to additional inner IP header in Tunnel mode. This IP header is the same as the outer IP header, thus there is not much value in such deployment. that's why the Transport mode is recommended in DMVPN (and GRE) scenarios.
For example. When using Tunnel mode, the packet (regular ping for instance) will look like: ETHER=14 IP=20 ESP=36 GRE=24 IP=20 ICMP=8 + 72(payload) TOTAL=194 In case of the same packet in Transport mode: ETHER=14 IP=20 ESP=36 GRE=24 ICMP=8 + 72(payload) TOTAL=174 HTH, Piotr 2010/5/21 Kingsley Charles <[email protected]> > Hi Piotr > > For GRE based IPSec like DMVPN or GREoIPSec, I don't think there is a > concept of transport or tunnel mode. Irrespective of whether you configure > transport or not, the IP packet format is same. > > Always there are three IP headers - ESP or AH IP header, GRE IP header and > Payload IP header. > > Even when you configure tunnel mode, it has only the above three IP > headers. > > It is always tunnel mode, meaning the original IP header is wrapped in GRE > and then into ESP. > > > > With regards > Kings > > > On Fri, May 21, 2010 at 7:20 PM, Piotr Matusiak <[email protected]> wrote: > >> Kings, >> >> It depends on many things like: >> - what IPSec encryption you use >> - do you use ESP alone or ESP with AH >> - transport or tunnel mode >> >> For example in ESP-3DES/ESP-MD5 with transport mode it should look like: >> >> ESP - 36 >> GRE - 24 >> IP - 20 >> >> Hence the router add 80 bytes to the packet. If you use IP MTU 1400 you're >> safe. >> When you use Tunnel mode you're adding 20 bytes for new IP header. >> >> >> >> TCP MSS is for changing TCP header to instruct the server (or host, >> whatever) to decrease the payload size. We configure 1360 to accommodate >> larger TCP header (by default 20 bytes, but can be larger due to TCP options >> like MD5 hash or something). >> >> HTH, >> Piotr >> >> >> >> 2010/5/21 Kingsley Charles <[email protected]> >> >>> Hi all >>> >>> Usually we configure ip mtu 1400 for DMVPN tunnel interface and there is >>> a standard calculation for it. I did it long time ago and trying to see, if >>> I am having the right understanding now. >>> >>> Ethernet MTU - 1500 >>> >>> IPSec IP header - 20 bytes >>> GRE IP header - 20 bytes >>> Payload IP header - 20 bytes >>> TCP header - 20 bytes >>> >>> Total of 80 bytes. >>> >>> 1500 - 80 = 1420 >>> >>> Including others like ESP header & trailer, GRE header etc, we round it >>> to 1400. >>> >>> Hence, we add ip mtu of 1400 to DMVPN tunnel interface, to avoid >>> fragmentation.in between. >>> >>> Correct me, if I am wrong. >>> >>> >>> >>> TCP MSS >>> >>> >>> TCP MSS => IP MTU - TCP header size which is 1400 - 20 = 1380 bytes >>> >>> We usually configure "tcp adjust-mss 1360". >>> >>> Any idea why it is 1360 instead of 1380? >>> >>> >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
