Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 09-13-2016, 01:10 AM   #1
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
Questions about IPsec VPNs and MTU

I'm familiar with setting up Strongswan on Arch Linux both in a site-to-site and a remote access style, on various Arch router PCs I've built.

I often read that you can run into MTU "issues" with IPsec VPNs, and that the MTU must be lowered from the standard 1500 bytes. My questions are:

-WHERE should the MTU be lowered? On the routers? (if so, which interfaces?) On the connecting LAN/remote devices?
-TO WHAT number should the MTU be set?
-Are there cases where you don't need to mess with the MTU?

Old 09-13-2016, 08:00 AM   #2
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,885
Blog Entries: 13

Rep: Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931Reputation: 4931
How about first determining if there are any issues with MTU versus assuming that the information you've read is accurate, by default. Their information, and you're welcome to post a link, would be more beneficial if they included reference information to back up their claims. Such as tests performed, as well as their own example of how they reduced MTU and improved the situation.

Controlling MTU "I believe" is something you can configure at the network adapter level, and maybe also in the routing software. However before doing so, I'd verify you have problems first.

What I can also tell you is about data transmission for layer 2 using a Reliable Link State Protocol (RLSP) and the probability of error:

If the probability of error is low, you increase the size of your transmissions because any given frame is less likely to experience errors.

If the probability of error is high, you lower the size of your transmissions because any given frame is more likely to experience errors, and thus you would have less data affected by errors.
A reference on this


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec: educational questions stateless Linux - Security 1 06-29-2014 06:42 PM
MTU reconfiguration on a bridge setup, bridging IPSEC in a tagged VLAN seaquesttr Linux - Networking 1 02-22-2010 02:44 PM
IPSec Questions AMarkos Linux - Networking 4 08-18-2008 07:42 PM
LXer: VPNs Illustrated: Tunnels, VPNS, and IPsec -- A Book Review LXer Syndicated Linux News 0 04-17-2006 07:54 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:03 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration