L2TP with IPsec MTU settings

Kampfwurst · December 23, 2019, 2:48pm

Hi,

What are the optimum settings for L2TP with IPsec for the MTU and MRU?
I have set it on my Server to 1400.
In the firewall i have set a rule with change MSS to 1370.

Maybe someone has the correct settings.

merry christmas Chris

pe1chl · December 23, 2019, 3:13pm

1400 should normally be a good MTU/MRU
For MSS you can also set “clamp to PMTU” to calculate it automatically but 1370 is OK with 1400 byte MTU

Remember you cannot calculate exact values because you do not always know the outer MTU…
On your network it may be 1500 but the peer may be behind PPPoE and have 1492 or 1480 byte MTU.

troybowman · March 3, 2020, 11:19pm

The default in RouterOS for L2TP is 1450. I was confused about this too because I can enable IPSec over L2TP with the same default MTU, and it still works without dropping packets. My IPSec configuration has been negotiating cbc(aes) + hmac(sha512) encoding. I have MRRU off, and the ESP packets are not NAT-T encapsulated, so there is no UDP header overhead.

I tested it by sending pings with the no-fragmentation flag turned on and a payload size of 1422, which makes a 1450 size ICMP packet. The packets did not drop, and the replies came through the tunnel just fine at the same size. Since it worked, I thought it was fine for a long time. I was wrong.

I ran the sniffer tool on the external interface and noticed that there were 68-byte ESP packets in addition to the 1500-byte IP packets (not counting the 14 byte Ethernet header). I thought that maybe RouterOS transparently fragments? So I tried flushing route caches and lowering the MTU to 1430: Still there, but now the extra packets are 52 bytes in size. Tried 1410: Still there, but now the extra packets are 36 bytes in size. Tried 1405: Still there, extra packets are still 36 bytes in size. Tried 1404: no more extraneous small packets. It fits in 1404! The apparent size brackets probably have to do with block cipher padding and other headers. Going to 1400 probably wouldn’t be enough for PPPoE peers. Since the PPPoE header is 8 bytes, it would still have to fragment. NAT-T ESP encapsulation would require another 8 bytes.

Maybe RouterOS does MRRU-like fragmentation and reconstruction when the packet doesn’t fit, even when MRRU is not turned on.

idlemind · March 4, 2020, 1:38am

In your case the fragmentation is happening during the crypto phase after the pppoe encapsulation. This allows IPSEC to perform the fragmentation.

If your DF traffic exceeded the MTU of the PPPoE side it would send a Too Big message back to the originator and then drop. Which is not what you were seeing.

Cisco has a calculator for IPSEC algorithms to help budget bytes based on what you selected for crypto. This would help right sizing the MTU to prevent the big and small packet with default settings. Although your method works as well.

idlemind · March 4, 2020, 1:42am

Nitpick: you probably meant 1360 for TCP MSS and just mistyped.

pe1chl · March 4, 2020, 12:53pm

That is right, there should be difference of 40 between MTU and MSS.
It us better to use the automatic MSS clamping… (clamp to pMTU)

Leolo · September 5, 2020, 4:07pm

Hi everyone,

I’m trying to use the Cisco calculator available here to calculate optimal MTU with L2TP/IPSec on my Mikrotik server:

https://cway.cisco.com/ipsec-overhead-calculator/

I’ve selected “Transport mode”, “ESP Encryption”, and “ESP Integrity”, but I don’t know if I should also include “AH Integrity” or not. Does Mikrotik insert only ESP headers? Or do they also insert AH headers?

Thanks in advance!