25-40
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Configuring VPN Global General Settings
Use the General Settings tab of the VPN Global Settings page to define fragmentation settings including
maximum transmission unit (MTU) handling parameters for site-to-site and remote access VPNs.
Fragmentation breaks a packet into smaller units when it is transmitted over a physical interface that
cannot support the original size of the packet. Fragmentation minimizes packet loss in a VPN tunnel,
because it enables transmission of secured packets that might otherwise be too large to transmit. This is
particularly relevant when using GRE, because any packet of more than 1420 bytes will not have enough
room in its header for the additional 80 bytes that the combined use of IPsec and GRE adds to the packet
payload.
The maximum transmission unit (MTU) specifies the maximum packet size, in bytes, that an interface
can handle. If a packet exceeds the MTU, it is fragmented, typically after encryption. If the DF (Do Not
Fragment) bit is set, the packet is dropped. A DF bit is a bit within the IP header that indicates if a device
can fragment a packet. You must specify whether the device can clear, set, or copy the DF bit from the
encapsulated header.
Because reassembly of an encrypted packet is difficult, fragmentation can degrade network performance.
To prevent network performance problems, you can select Enable Fragmentation Before Encryption
so that fragmentation occurs before encryption.
Navigation Path
For remote access VPNs, do one of the following:
(Device View) Select Remote Access VPN > Global Settings from the Policy selector. Click
the General Settings tab.
(Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector.
Select an existing policy or create a new one, then click the General Settings tab.
For site-to-site VPNs, do one of the following:
Enable PAT (Port Address
Translation) on Split
Tunneling for Spokes
(Site-to-site VPNs only.)
Supported on Cisco IOS routers and Catalyst 6500/7600 devices.
When selected, enables Port Address Translation (PAT) to be used for
split-tunneled traffic on spokes in your VPN topology.
PAT can associate thousands of private NAT addresses with a small
group of public IP address through the use of port addressing. PAT is
used if the addressing requirements of your network exceed the
available addresses in your dynamic NAT pool.
Note When you select this option, Security Manager implicitly
creates an additional NAT rule for split-tunneled traffic on
deployment. This NAT rule, which denies VPN-tunneled traffic
and permits all other traffic (using the external interface as the
IP address pool), is not reflected as a router platform policy.
For information on creating or editing a dynamic NAT rule as a router
platform policy, see NAT Page: Dynamic Rules, page 23-10.
Table25-7 VPN Global Settings Page, NAT Settings Tab (Continued)
Element Description