By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Working around AWS VPN MTU limits

0

Is anyone aware of a solution/customer who has implemented the following requirements:

  1. They require IPsec over DX
  2. They need effective MTU (i.e. original packet not counting IPsec overhead) >= 1500 over IPsec as they don't/can't control host MTU settings, and they use DF 1. They don’t allow ICMP in their network so path MTU discovery is out 2. They don’t like TCP mss-adjust on the IPsec headends

One solution I can think of is EC2 IPsec termination in a VPC via Private VIF (this allows the higher MTU). Then VPC attachment (as opposed to VPN) from the VPC to a TGW and deploy automation to handle failover.

I also understand GWLB won’t help here as it’s a two-armed appliance (IPsec and ENI out towards TGW VPC attachment)

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryAWS Transit Gateway
Language
English
AWS
Sev_G
asked 3 years ago945 views
1 Answer
0
Accepted Answer

For traffic to leave a VPC with over 1500 byte MTU you need a transit VIF or private VIF (with jumbo frames enabled) or have an intermediary third-party device that fragments packets.

You'd still need fragmentation if you use GWLB unless using transit VIF or private VIF.

profile pictureAWS
AWS-James-Devine
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content