Working around AWS VPN MTU limits
0
Is anyone aware of a solution/customer who has implemented the following requirements:
- They require IPsec over DX
- They need effective MTU (i.e. original packet not counting IPsec overhead) >= 1500 over IPsec as they don't/can't control host MTU settings, and they use DF 1. They don’t allow ICMP in their network so path MTU discovery is out 2. They don’t like TCP mss-adjust on the IPsec headends
One solution I can think of is EC2 IPsec termination in a VPC via Private VIF (this allows the higher MTU). Then VPC attachment (as opposed to VPN) from the VPC to a TGW and deploy automation to handle failover.
I also understand GWLB won’t help here as it’s a two-armed appliance (IPsec and ENI out towards TGW VPC attachment)
asked 2 years ago22 views
1 Answers
0
Accepted Answer
For traffic to leave a VPC with over 1500 byte MTU you need a transit VIF or private VIF (with jumbo frames enabled) or have an intermediary third-party device that fragments packets.
You'd still need fragmentation if you use GWLB unless using transit VIF or private VIF.
answered 2 years ago
Relevant questions
limits with API gateway custom authorizer for number of requests
Accepted Answerasked 2 years agoDoes AWS Transit Gateway peering supports Jumbo frames (MTU)?
Accepted Answerasked 2 years agoWhere can I see the actual Packets per Second allowed for each instance type?
asked 4 months agoWhy is Windows MTU set to 9001 for some instances and 1500 for others ?
Accepted AnswerAWS Transit Gateway Routing Features
Accepted Answerasked 3 years agoWorking around AWS VPN MTU limits
Accepted Answerasked 2 years agoS3 permissions STS assume role bucket to bucket copy
Accepted Answerasked 5 years agoList of Oracle on RDS Limitations and Restricted Permissions
Accepted Answerasked 6 years agoAdvice on creating VPC for EC2 to use IPSec connection
asked 2 months agoSite to Site IPSec VPN to multiple on-prem firewalls
asked 4 months ago