There is an IPsec tunnel to make connection with the customer VPN towards a firewall cluster. They need to send packets bigger than 1500, which is the default value of MTU for a LTE interface. The reason of this is because the customer builds up their own IPsec tunnel through another IPsec tunnel and needs to be able to send packets with a MTU size of 1400 bytes. The problem is that the TCP packet that flow inside the IPsec tunnel of the customer must not be fragmented due to their application. When the packet is fragmented the application of our customer doesn't work anymore.
The network topology:
We have reproduced the issue in our laboratory and we got packets at every node in order to demonstrate the fragmentation process.
So the fragmentation will not occur inside the customer's tunnel. Fragmentation will occur only within the Esprit Tunnel, because that is where the MTU issue is present, so the fragmentation issue will be present only on IPsec2 path because the MTU cannot be set bigger that 1500.
1. IPsec packets will be sent from Customer CPE-2 as normal. - IPsec1.
2.When these packets reach the AR169 CPE1 they need to be forwarded through the Esprit IPsec2 tunnel and the following can happen:
a)If the DF bit is set and the packets exceed the interface MTU, the packets will be dropped.
b)If the DF bit is not set or if the AR clears the DF flag, the packets will be fragmented and forwarded through the Cellular Interface.
- The Esprit FW peer will re-assemble the IPsec2 packets upon receiving them, and remove the outer layer of encapsulation.
- The result will be non- fragmented IPsec1 packets that will be forwarded to the customer's CPE3 device.
In conclusion, our recommendation is to configure the command IPsec df-bit clear on the CPE1 device where the Cellular Interface needs to fragment IPsec packets of the Esprit tunnel.
Our recommendation is to configure the command IPsec df-bit clear on the CPE1 device where the Cellular Interface needs to fragment IPsec packets of the Esprit tunnel.