No IP MTU Command Needed With VTI?

Can someone explain why the IP MTU command is not needed with IPSec VTI but is with GRE?
In the INE ATC Brian references two reasons:
1. With VTI, the DF bit can be copied to the ESP header.
2. With VTI, the router can see the transform sets and calculate the available MTU for data since it knows what encryption algorithms are used.

Number 2 does not make sense to me. Why would the router not see the encryption algorithms used in the transform set with GRE?



  • 1. Correct, DF bit is coped from IP header to IPsec header. With GRE over IPsec it is not, because GRE does not copy it by default.

    2. With newer codes, the router self adjusts the MTU on the tunnel, regardless of encapsulation type (GRE only, VTI only, GRE with IPsec).


Sign In or Register to comment.