Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Just curious about what the config parameter "set ipsec vpn xxxx df-bit clear" is meant to be doing.
Quoting from KB25625 [http://kb.juniper.net/InfoCenter/index?page=content&id=KB25625&actp=search]:
"The default behavior of DF-bit, when the traffic goes to the IPSec tunnel, is to not change the DF-bit of the inner IP header and clear the DF-bit flag on the outer IP header."
The default behavior for the outer header is DF=0.
I was looking to clear the DF bit of the inner IP header setting it to 0 in an IPSec VPN setup, same as could be done on a GRE tunnel with "set interfaces gr-x/x/x.x clear-dont-fragment-bit". I thought "set security ipsec vpn xxxx df-bit clear" would do the trick, but
#set df-bit ?Possible completions:clear Clear DF bit of outer headercopy Copy DF bit from inner headerset Set DF bit of outer header
Is there any way to clear the DF bit of the inner header in an IPSec VPN tunnel?
I see no reason to set the inner header DF bit value ...
If the DF bit is set in the inner IP header, it MUST be set in the outer IP header; if the DF bit is not set in the inner IP header, it MAY be set in the outer IP header.
Unless the experts of the forum see something else .
Thanks for the reply.
Issue being faced is some HTTP application has DF=1 (Dont Fragment) in the IP header and the traffic is being dropped midway to the destination. If the inner DF-bit is not copied to the outer header in IPSec, ICMP Type 3 Code 4 is not transmitted back to the source by the SRX and traffic is getting dropped.
After adding"set ipsec vpn xxxx df-bit copy" to the IPSec tunnel config, ICMP Type 3 Code 4 is being relayed to the source, allowing for TCP window resizing. Very often ICMP is filtered and relying on ICMP Type 3 Code 4 is not what we want in this case.
Before, copying the DF bit from inner to outer header :-
When we send ICMP with DF=0 and large sized packets, fragmentation is happening and we are receiving the ICMP replied.
When we send ICMP with DF=1 and large sized packets, no ICMP replies being received.
This indicates that when DF=0 for large packets, fragmentation is happening and working correctly.
Was looking for some solution where the original DF bit in the IP header can be cleared.