Figure 1021 GRE IPsec with PMTUD

[View full size image]

As you can see in Figure 10-21, IPsec transport mode ESP, for example, adds a maximum of 38 bytes t ESP information. Tunnel mode adds a maximum of 58 bytes because of the new IP header.

Both of these numbers assume all the security options enabled for IPsec. Therefore, you can optimize y minimize the number of PMTUD rounds you must go through. Simply start your GRE tunnel with a defai transport mode or 1418 for tunnel mode. This ensures that, by the time the packet is fully encrypted, it fragmented again.

Router(config)#interface TunnelO

Router(config-if)#ip mtu 1438

Fragmentation has even more variations if you introduce an intermediary router with an MTU less than many other fragmentation situations, consult the excellent Cisco TAC guide on fragmentation issues, "IF PMTUD," at the following URL: white paper09186a00800d6979.shtml.

