Chapter 6
Advanced Features
Don’t Fragment bit [force_df]
IPSec encryption increases the packet length. When the MTU of a link is adjusted to pass the largest IP packet unfragmented, then messages encapsulated by IPSec will not pass if the Don’t Fragment bit is set. In some cases, it might be required to influence the fragmentation behaviour to remedy such problems.
The SpeedTouch™ allows treating the DF bit in three different ways:
Pass the DF bit unchanged.
Force the DF bit to zero. With the DF bit cleared, fragmentation is allowed.
Force the DF bit to one. With the DF bit set, fragmentation of messages is not allowed.
force_df | Possible values | default value | |
|
|
|
|
| pass | force_set | pass |
| force_clear |
|
|
|
|
|
|
Minimal MTU [min_mtu] This option sets the minimal negotiated value of the “Maximum Transmission Unit” (the largest packet size). The fact that no lower value than this minimal value is accepted forms a protection against an attack with ICMP “fragmentation needed” messages.
min_mtu | Unit | default value |
|
|
|
| octets | 1000 |
|
|
|
Add Route [add_route] This option is relevant in routed mode only. The option determines whether or not routes are automatically added to the routing table.
When enabled, a route to the remote red network is automatically added to the routing table, via the Physical Interface of the peer to which the connection is attached.
When disabled, the routing table has to be adapted manually in order to ensure IP connectivity between the local and remote red networks.
add_route | Possible values | default value |
|
|
|
| enabled | enabled |
| disabled |
|
|
|
|
208 | |
|
