Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

25-41

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 25 Configuring IKE and IPsec Policies

Configuring VPN Global Settings

–

Open the Site-to-Site VPN Manager Window, page 24-18, select a topology in the VPNs

selector, then select VPN Global Settings in the Policies selector. Click the General Settings

tab.

–

(Policy view) Select Site-to-Site VPN > VPN Global Settings from the Policy Types selector.

Select an existing shared policy or create a new one, then click the General Settings tab.

Related Topics

• Configuring VPN Global Settings, page 25-29

Field Reference

Table 25-8 VPN Global Settings Page, General Settings Tab

Element Description

Fragmentation Settings

Fragmentation Mode

Local MTU Size

Supported on Cisco IOS routers and Catalyst 6500/7600 devices.

Fragmentation minimizes packet loss in a VPN tunnel when packets are

transmitted over a physical interface that cannot support the original

size of the packet. Select the fragmentation mode:

• No Fragmentation—Do not fragment before IPsec encapsulation.

After encapsulation, the device fragments packets that exceed the

MTU setting before transmitting them through the public interface.

• End to End MTU Discovery—Use ICMP messages to determine

the maximum MTU. Use this option with IPsec VPNs.

End-to-end MTU discovery uses Internet Control Message

Protocol (ICMP) messages to determine the maximum MTU that a

host can use to send a packet through the VPN tunnel without

causing fragmentation. The MTU setting for each link in a

transmission path is checked to ensure that no transmitted packet

exceeds the smallest MTU in that path. The discovered MTU is

used to decide whether fragmentation is necessary. If ICMP is

blocked, MTU discovery fails and packets are either lost (if the DF

bit is set) or fragmented after encryption (if the DF bit is not set).

Note (Site-to-site VPNs) For Catalyst 6500/7600 devices, end-to-end

path MTU discovery is supported only on images 12.2(33)SRA,

12.2(33)SRB, 12.2(33)SXH, 12.2(33)SXI or above.

• Local MTU Handling—Set the MTU locally on the devices. This

option is typically used when ICMP is blocked or in site-to-site

IPsec/GRE VPNs. If you select this option, specify the local MTU

size, which can be between 68 and 65535 bytes depending on the

VPN interface.

previous next