On Tue, Mar 27, 2001 at 10:50:11AM +1000, Ken Blinco wrote:
:
: Thanks for that. We need to increase the mtu as there are large packets
: being sent through a vpn which have the do-not-fragment bit set. If you
: think 1600 is too large, what would you recommend? (i guess it depends
: on the packet size).
I would recommend you configure your VPN to not copy the "DF" bit from the
clear packet to the encapsulated/encrypted packet. I know that at least
the Nokia vpn appliances (the stuff that came from Network Alchemy) support
this, and I imagine others would as well, since it is a useful feature.
Properly implemented, a packet with DF set would get encapsulated, and
*that* packet would get frag'd, and re-assembled at the other end of the
VPN..
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
