We have an IKEv2 IPSec tunnel between two Sophos XG Firewall appliances in a corporate system for a remote site.
We don't have any specialized MSS or MTU settings other than what the IPSec tunnel already applies.
Our IPSec configuration profile for the handshake of IKEv2 IPSec tunnels fits the following profile:
... and the tunnel is established.
HOWEVER we're seeing a huge skew from expected traffic - the MSS is 1382 bytes, but we don't seem to be able to replicate this in our calculations.
MTU on the actual network links between everything is 1500 MTU (ISP uplink, Ethernet MTUs internally, etc.) so we're headscratching a little bit here on how the MSS is being calculated here.
If this is, ultimately, a cause of the Sophos XG IPSec tunnel doing MSS clamping internally, then this makes sense, but a breakdown of its encapsulation and calculations would be appreciated if someone is privy to the 'defaults' at play here. Expected MSS per all sane calculations would STILL be a standard 1472, except between the two XGs it's much lower than that, so if anyone's familiar with why this is the case, your insight would be appreciated - it makes zero sense logically.
This thread was automatically locked due to age.
