Tested release: 21.2.3, 22.1.4
The IPsec tunnel MTU is typically set to 1336 bytes due to overhead introduced by the encapsulation process.
This KB is an attempt to breakdown the calculation step by step.
IPsec Tunnel MTU Calculation:
By default, an Ethernet network has an MTU of 1500 bytes. When you encapsulate packets inside an IPsec tunnel, additional headers are added, reducing the available space for the payload.
- Base MTU
1500 bytes
- Outer IP Header (IPv4/IPv6)
IPv4: 20 bytes
IPv6: 40 bytes
(We will assume IPv4 for this calculation)
- ESP Overhead (Encapsulation Security Payload)
ESP Header: 8 bytes
ESP Trailer: ~16 bytes
ESP Authentication: 12-16 bytes
A typical ESP overhead is around 36 bytes.
- GRE or UDP Encapsulation (Optional for NAT-Traversal)
If IPsec NAT-T is used (UDP encapsulation): add 4 bytes to UDP header
If GRE is used, add 24 bytes
So, without NAT-T:
MTU = 1500 - (20+36) = 1444 bytes
With NAT-T:
MTU= 1500 - (20+36+4) = 1440 bytes
However, many configurations use 1336 bytes to be on the safer side to account for additional variations in ESP padding, Key exchange headers or additional security features.
Versa IPsec Tunnel MTU by default is set to 1336 bytes.
Can be verified by issuing a CLI command > show interfaces detail <tvi-interface> | grep mtu
How is MSS (Maximum Segment Size) Set?
The MSS is typically derived from the MTU to avoid fragmentation at the IP layer.
MSS = MTU - TCP/IP headers
MSS = 1336 - (20+20) = 1296 bytes
If path MTU discovery PMTUD is enabled, TCP automatically adjusts the MSS accordingly
For more information regarding PMTU vs Tunnel MTU, please review below KB:
https://support.versa-networks.com/en/support/solutions/articles/23000027423-tunnel-mtu-and-pmtu
##################################################
In case any further query, please reach out to Versa TAC