DavidPesticcio · September 28, 2017 19:38
diff --git a/gistfile1.txt b/gistfile1.txt
 https://community.spiceworks.com/topic/217130-mtu-issues-in-vpn-connections

 Question:
 Hello,

 I often set up vpn tunnels on different network devices(cisco, juniper) and one day I read an info about MTU:

 because of perfomance issues its better practise to reduce MTU size on tunnel interfaces/egress interfaces of routers.

 How this is affect perfomance?

 The default MTU for ethernet is 1500. If the tunnel and egress interface would have the same value why do i need to reduce it?


 Answer:
 Exactly, Packets get fragmented before being encrypted. As packet is combined back on remote side, in most cases this is completly transparent.

 Let me try to make Imagination of it


 Packet with 1500 bytes comes via Inside Eth interface where MTU is 1500.

 Case 1) no MTU limit set on VPN tunnel

 IPsec encryption protocol adds header and footer to original packet and now packet inside of router gets bigger like 1600  bytes. Not this already encrypted packet need to leave out side ethernet interface where MTU is also 1500. It get splited into 2 with hope that other side will accept it. VPN protocols are used to secure traffic over public networks and such modified packets get discarded.

 Case 2) MTU set on VPN tunnel interface

 Before doing a packets encryption, original packet gets splited in 2 and then 2 packets get encrypted with size lower than 1500. Now those 2 packets can be transmited out with no fragmentation and decrypted on other side. Once both packets are there, original packet is rebuild and sent to desired system.


 Here is one great link about IPsec tunneling and packet added header and footer:

 http://www.unixwiz.net/techtips/iguide-ipsec.html
	https://community.spiceworks.com/topic/217130-mtu-issues-in-vpn-connections

	Question:
	Hello,

	I often set up vpn tunnels on different network devices(cisco, juniper) and one day I read an info about MTU:

	because of perfomance issues its better practise to reduce MTU size on tunnel interfaces/egress interfaces of routers.

	How this is affect perfomance?

	The default MTU for ethernet is 1500. If the tunnel and egress interface would have the same value why do i need to reduce it?


	Answer:
	Exactly, Packets get fragmented before being encrypted. As packet is combined back on remote side, in most cases this is completly transparent.

	Let me try to make Imagination of it


	Packet with 1500 bytes comes via Inside Eth interface where MTU is 1500.

	Case 1) no MTU limit set on VPN tunnel

	IPsec encryption protocol adds header and footer to original packet and now packet inside of router gets bigger like 1600 bytes. Not this already encrypted packet need to leave out side ethernet interface where MTU is also 1500. It get splited into 2 with hope that other side will accept it. VPN protocols are used to secure traffic over public networks and such modified packets get discarded.

	Case 2) MTU set on VPN tunnel interface

	Before doing a packets encryption, original packet gets splited in 2 and then 2 packets get encrypted with size lower than 1500. Now those 2 packets can be transmited out with no fragmentation and decrypted on other side. Once both packets are there, original packet is rebuild and sent to desired system.


	Here is one great link about IPsec tunneling and packet added header and footer:

	http://www.unixwiz.net/techtips/iguide-ipsec.html