[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on TCP MSS with repsect to IPSEC



You can only do so much to reduce TCP segment sizes to account for
IPSEC headers. Especially since a very common (if not the single most
important) case of tunnel mode assumes a TCP that knows nothing about
IPSEC.

The best you can really hope for is Path MTU support on the sending
TCP that will respond appropriately to ICMP messages from an IPSEC
tunnel endpoint that knows what its next hop interface MTU is after
being adjusted for IPSEC overhead.

Phil