Is anyone aware of a solution/customer who has implemented the following requirements:
- They require IPsec over DX
- They need effective MTU (i.e. original packet not counting IPsec overhead) >= 1500 over IPsec as they don't/can't control host MTU settings, and they use DF
1. They don’t allow ICMP in their network so path MTU discovery is out
2. They don’t like TCP mss-adjust on the IPsec headends
One solution I can think of is EC2 IPsec termination in a VPC via Private VIF (this allows the higher MTU). Then VPC attachment (as opposed to VPN) from the VPC to a TGW and deploy automation to handle failover.
I also understand GWLB won’t help here as it’s a two-armed appliance (IPsec and ENI out towards TGW VPC attachment)