logo

Main Menu
Home
Products
Tips n Tricks
Download
Contacts
About
Login Form





Lost Password?
Optimising MTU settings in IPSEC or PPTP Tunnels PDF Print E-mail

Experiencing issues with latency (speed) across the VPN tunnel

Experiencing Latency through the VPN Tunnel

Background:

There have always been problems with VPN and fragmentation.  The problem occurs when a packet becomes fragmented and has to be reassembled by a VPN device.  Also, with newer technologies being used such as Load Balancing the fragmented packets may reach the VPN client out of order.  The VPN client then has to reassemble the out of order packets.  If one packet is not received the VPN client cannot reassemble the complete packet.

MTU (Maximum Transmission Unit):
The largest number of bytes a frame can carry, not counting the frame's header and trailer.  A frame is a single unit of transportation on the data link layer. It consists of header data plus data which was passed down from the network layer plus sometimes trailer data. An Ethernet frame has a MTU of 1500 bytes but the size of the frame can be up to 1526 bytes (22 byte header, 4 byte CRC trailer).

What MTU size should I set?

To determine the right MTU setting, run a fragmented ping test from a
command prompt on the client machine:

ping [Public IP Address of SnapGear unit] -f -l 1500

Most likely, you will get back the message:

Packet needs to be fragmented but DF set.

The DF refers to the Don't Fragment bit.  Keep lowering the byte size
from 1500 until it replies without error.  That point at which it replies
without an error is the point of fragmentation.  The MTU size should be just below that point.

Recent versions of Snapgear firmware also have the mtuchk utility included.

If you telnet/ssh to the snapgear and enter this command

mtuchk x.x.x.x

where x.x.x.x is the remote IP address you wish to check the what the maximum MTU is that you can send to that host.

PPTP

How do you adjust the MTU setting for PPTP clients on the SnapGear?

Log into the unit, and go under System, Advanced, Configuration Files, and select the options.pptp file.  Click edit.  Add the line:

mtu 1200 <or other desired byte size>

How to adjust the MTU size on the PPTP client machine:

You can download the Dr. TCP utility here:
http://www.dslreports.com/front/drtcp.html, which will let you adjust the MTU size on the network adapter of the local machine.


IPSec

The same goes for IPSec VPN.  Adjusting these settings should help reduce any fragmentation and MTU issues.

How to adjust the MTU setting for IPSec clients on the SnapGear?

Log into the SnapGear unit.  Go under VPN | IPSec.  There on the General Settings page, underneath the checkbox to enable IPSec, you can adjust the IPSec MTU.


See also this knowledgebase article:

http://www.snapgear.com/faqomatic/public_html/fom-serve/cache/196.html
 
 
logo