Reduction of Encryption Domain interfaces' MTU - Prevention of fragmentation of IPv6 packets in VPN tunnels
According to IPv6 standard - RFC2460 - fragmentation is to be handled by the endpoints alone, meaning that gateways and routers transfer the packets as received. This poses a problem for protocols encapsulating packets or changing payload size - specifically IPSec. A discussion of the problem and possible solutions is found in RFC4459.
Currently the gateway simply drops the IPv6 packet if its encrypted size exceeds the MTU.
This problem was fixed. The fix is included in:
Check Point recommends to always upgrade to the most recent version.
For other versions, the solution is to reduce the MTU on any interface of any host that is connected to the VPN GW over IPv6. This will set the packet size to be lower even after encapsulation. This applies to every device (firewall, router, etc...) in the encryption domain with an IPv6 interface directly connected (i.e., on the same subnet) to the encrypting VPN GW.
For example: If Router A is communicating over IPv6 with the VPN Gateway and networks behind Router A are in the VPN Gateway's encryption domain, then the MTU of the interfaces on Router A, towards the VPN Gateway need to be reduced.
Set the MTU to 1350 bytes on these interfaces, and make sure that the change survives reboot. If the current MTU is different than the default (1500), reduce it by 150 bytes.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
This solution is about products that are no longer supported and it will not be updated
- 01069848 , 01138490