MTU of ipsec GRE

MTU from http://www.faqs.org/rfcs/rfc1122.html

The maximum transmission unit, i.e., the size of the
              largest packet that can be transmitted.

         The terms frame, packet, datagram, message, and segment are
         illustrated by the following schematic diagrams:

         A. Transmission on connected network:
           _______________________________________________
          | LL hdr | IP hdr |         (data)              |
          |________|________|_____________________________|

           <---------- Frame ----------------------------->
                    <----------Packet -------------------->

         B. Before IP fragmentation or after IP reassembly:
                    ______________________________________
                   | IP hdr | transport| Application Data |
                   |________|____hdr___|__________________|

                    <--------  Datagram ------------------>
                             <-------- Message ----------->
           or, for TCP:
                    ______________________________________
                   | IP hdr |  TCP hdr | Application Data |
                   |________|__________|__________________|

                    <--------  Datagram ------------------>
                             <-------- Segment ----------->

MTU explaination copy from http://packetlife.net/blog/2008/nov/5/mtu-manipulation/

Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC):

ESP overhead (with authentication) : 31 ~ 38 bytes

GRE header: 24 bytes

IP header: 20 byes

 GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead


http://ieoc.com/forums/t/10365.aspx
http://packetlife.net/blog/2008/nov/5/mtu-manipulation/
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Solutions for the ipsec over GRE:

1. tunnel path-mtu-discovery on the tunnel interface
2. Use the ip tcp adjust-mss command on the tunnel interfaces
3. Use policy routing on the ingress interface of the router and configure a route map to clear the DF bit in the data IP header before it gets to the GRE tunnel interface.

route-map CLEAR-DF permit 10
 set ip df 0
!
interface <LAN>
 ip policy route-map CLEAR-DF
!

4. Increase the "ip mtu" on the GRE tunnel interface to be equal to the outbound interface MTU. This will allow the data IP packet to be GRE encapsulated without fragmenting it first. The GRE packet will then be IPsec encrypted and then fragmented to go out the physical outbound interface. In this case you would not configure tunnel path-mtu-discovery command on the GRE tunnel interface. This can dramatically reduce the throughput because IP packet reassembly on the IPsec peer is done in process-switching mode.