Note: This article applies to Junos OS 11.4R3, so it has been archived.
This article describes the behavior of the df-bit flag, when the incoming clear text packet is received by the SRX device and is encapsulated for the IPSec packet.
The default behavior of
DF-bit, when the traffic goes to the IPSec tunnel, is to not change the DF-bit of the inner IP header and clear the DF-bit flag on the outer IP header.
<Command Line>
set security ipsec vpn <VPN Name> df-bit clear
<DF Bit Clear>
root> show security ipsec security-associations index 131073
ID: 131073 Virtual-system: root, VPN Name: vpn-001
Local Gateway: 120.1.1.1, Remote Gateway: 120.1.1.254
Local Identity: ipv4_subnet(any:0,[0..7]=150.1.1.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=100.1.1.0/24)
Version: IKEv1
DF-bit: clear <=========
Bind-interface: st0.0
When a large packet is DF-bit flagged, which does not exceed the ingress interface MTU, but exceeds the egress tunnel interface MTU, is received by SRX, the IP payloads will be encrypted first. Then, if the encrypted packet exceeds the tunnel interface MTU, the packet will be fragmented before ESP encapsulation and these encrypted and fragmented IP packets (one with ESP header and the other without ESP header) will be transmitted; without DF-bit being flagged.
For this scenario, SRX will not return
type=3 code=4 ICMP
to the sender and transmit fragmented packets to the IPSec peer; without DF-bit being flagged.
If the configuration is changed to
set security ipsec vpn <VPN-Name> df-bit copy, it will copy the DF-bit of the inner IP header to the outer IP header. This will return
type=3 code=4 ICMP to the sender, when it exceeds the tunnel interface MTU and encrypted and fragmented IP packets will not be transmitted.
<Command Line>
set security ipsec vpn <VPN Name> df-bit copy
<DF Bit Clear>
root> show security ipsec security-associations index 131073
ID: 131073 Virtual-system: root, VPN Name: vpn-001
Local Gateway: 120.1.1.1, Remote Gateway: 120.1.1.254
Local Identity: ipv4_subnet(any:0,[0..7]=150.1.1.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=100.1.1.0/24)
Version: IKEv1
DF-bit: copy <=========
Bind-interface: st0.0
2019-03-29: Moved article to 'archive' state, as it applies to Junos OS 11.4R3.