VPN Fragmentation and MTU anomalies - Check Point

TCP MSS adjustment for IPSec traffic Apr 21, 2020 New VPN features in R77.20 and higher (including R80.x For more information about VPN fragmentation, refer to sk98074 - MTU and Fragmentation Issues in IPsec VPN. This hotfix , adds the new kernel parameter sim_ipsec_dont_fragment . If this parameter is enabled, then the behavior of Security Gateway with enabled SecureXL changes to the following:

I use a VPN that utilizes WireGuard protocol, which has maximum MTU size of 1420. To make sure, I tested that with "ping www.google.com-f -l" commands. 1392 was the highest MTU that did not require fragmentation. If you add 28 to that like you're supposed to, you get WireGuard's MTU of 1420. I used NetSH commands to set my LAN to use MTU of 1420.

With a VPN you generally reduce the MTU because you need to account for the VPN overhead with each packet and fragmentation will likely increase latency. Within OpenVPN the fragment option will set the maximum size a packet can be before it is fragmented.

Nov 28, 2016 · Begin increasing the packet size from this number in small increments until you find the largest size that does not fragment. Add 28 to that number (IP/ICMP headers) to get the optimal MTU setting. For example, if the largest packet size from ping tests is 1462, add 28 to 1462 to get a total of 1490 which is the optimal MTU setting.

MTU. The Maximum Transmission Unit (MTU) is the maximum frame size that can be sent between two hosts without fragmentation. The MX uses an MTU size of 1500 bytes on the WAN interface. When a packet is sent from a local host to a host in a remote network, … This is a limitation of the VPN which is not handling IP fragmentation properly. The workaround involves lowering the ICA/EDT MSS to a known value that will not cause fragmentation. This MTU value needs to be determined by the customer, for example by using a tool like mturoute.exe.