Configuring the DF bit of IPsec packets
Perform this task to configure the Don't Fragment (DF) bit in the new IP header of IPsec packets in one of the following ways:
clear—Clears the DF bit in the new header.
set—Sets the DF bit in the new header.
copy—Copies the DF bit in the original IP header to the new IP header.
You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting.
Follow these guidelines when you configure the DF bit:
The DF bit setting takes effect only in tunnel mode, and it changes the DF bit in the new IP header rather than the original IP header.
Configure the same DF bit setting on the interfaces where the same IPsec policy bound to a source interface is applied.
If the DF bit is set, the devices on the path cannot fragment the IPsec packets. To prevent IPsec packets from being discarded, make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.
To configure the DF bit of IPsec packets on an interface:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the DF bit of IPsec packets on the interface. | ipsec df-bit { clear | copy | set } | By default, the interface uses the global DF bit setting. |
To configure the DF bit of IPsec packets globally:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Configure the DF bit of IPsec packets globally. | ipsec global-df-bit { clear | copy | set } | By default, IPsec copies the DF bit in the original IP header to the new IP header. |