I want to verify that both ends of our VPN tunnels properly account for IPsec overhead, to avoid fragmentation.
Our branch offices tunnel all traffic via IPsec, from a Cisco ISR, to our central PA-5050 appliance.
I don't see any MTU- or MSS-related config on either end (Cisco ISR or PA). I've dug into configuration guides for both vendors, and I don't see anything that clearly states one should explicitly account for encapsulation overhead in my specific use-case. But my doc-fu is still strengthening, so I could have easily missed something.
I think the Cisco end accounts for the overhead automatically, without the need of explicit mtu or ip tcp adjust-mss interface config. Notice "plaintext MTU" is 1446, accounting for the 54-byte IPsec header:
interface: GigabitEthernet8 Crypto map tag: VPN, local addr 96.XX.XX.XX protected vrf: (none) local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 205.XXX.XXX.XXX port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 220891623, #pkts encrypt: 220891623, #pkts digest: 220891623 #pkts decaps: 332790940, #pkts decrypt: 332790940, #pkts verify: 332790940 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 3096 local crypto endpt.: 96.XXX.XXX.XXX, remote crypto endpt.: 205.XXX.XXX.XXX plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8 current outbound spi: 0xFF506E00(4283461120) PFS (Y/N): N, DH group: none
The PA side, however, looks like it has totally default MTU/MSS settings on the respective tunnel interface:
austindcc@PA-5050> show interface tunnel.3 -------------------------------------------------------------------------------- Name: tunnel.3, ID: 261 Operation mode: layer3 Virtual router vr1 Interface MTU 1500 Interface IP address: 172.XX.XX.XX/32 Interface management profile: Management Profile ping: yes telnet: no ssh: no http: no https: no snmp: no response-pages: yes userid-service: no Service configured: Zone: vpn, virtual system: vsys1 Adjust TCP MSS: no Tunnels associated: MyVPNTunnelObject --------------------------------------------------------------------------------
If I had to guess, I would say I should set the PA's tunnel.3 interface's MTU to 1446.
But this PA KB article says "For IPSec traffic, the Palo Alto Networks firewall will automatically adjust the TCP MSS in the three-way handshake. This will happen irrespective of the Adjust TCP MSS option enabled on the VPN external interface."
But the article goes on to explain how to manually adjust MTU "if...the firewall was not adjusting MSS as per ESP overhead."
So I'm confused. Is the PA accounting for ESP overhead? If so, how can I know for sure? If not, what should I do about it?
No comments:
Post a Comment