Filter
Top Products
ETEP Configuration
310 EncrypTight User Guide
Ignore DF Bit
When the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior is to enable
DF Bit handling on the local port. This tells the ETEP to ignore the “do not fragment” (DF) bit in the IP
header, and fragment outbound packets that exceed the MTU of the system. This setting should be used
under the following conditions:
● Reassembly mode is set to gateway
● ICMP is blocked at the firewall
● PMTU path discovery isn’t working
A symptom of a PMTU problem is when the network operates normally when traffic passes in the
clear but loses packets when encryption is turned on.
You can override the default behavior by disabling the DF Bit handling on the local port. The ETEP will
then discard packets in which the DF bit is set and the packet length, including the encryption header,
exceed the PMTU.
Related topic:
● “Reassembly Mode” on page 310
Reassembly Mode
The reassembly mode setting applies to packets entering the ETEP’s local port that are subject to
fragmentation. This setting specifies whether packets are fragmented before or after they are encrypted
and who performs the reassembly of the fragmented packet: the destination host or gateway.
The reassembly mode option is available only when the ETEP’s Encryption Policy Setting is set to Layer
3:IP. When the Encryption Policy Setting is set to Layer 2:Ethernet, packets that are subject to
fragmentation are encrypted prior to fragmentation. Layer 2 jumbo packets that exceed the PMTU are
discarded. The Encryption Policy Setting is configured on the Features tab.
Table 89 Ignore DF Bit settings
Setting Description
Enabled The ETEP ignores the DF bit in the IP header and fragments outbound
packets greater than the MTU of the system. This setting is automatically
enabled when the reassembly mode is set to gateway.
Disabled The ETEP acts in accordance with the DF bit setting in the IP header.
Table 90 Reassembly mode settings
Setting Description
Gateway This setting is recommended for ETEP-ETEP encryption. Packets are
encrypted first and then fragmented based on the new packet size, which
includes the encryption header. This behavior is consistent with RFC 2401.
The gateway (ETEP) performs the reassembly.
When the reassembly mode is set to gateway, the Ignore DFBit setting is
automatically enabled.
Host This setting is required for the ETEPs to interoperate successfully with some
security gateways. Packets are fragmented before they are encrypted, and
the encryption header is added to the packet fragments. The destination
host performs the reassembly.