Junos IPSEC Tunnel to Azure & TCP-MSS

fragmentationipsecjuniper

I am configuring a Juniper SRX 300 Series to establish an IPSEC tunnel to Azure.

The Azure Vnet range is 192.168.10.0/23

The local range is 10.49.236.0/24.

The configuration: (relevant bits with sensitive parts replaced with $PART)

​security {
    ike {
        proposal ike-proposal-azure {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike-policy-azure {
            mode main;
            proposals ike-proposal-azure;
            pre-shared-key ascii-text "$PSK";
        }
        gateway ike-gate-azure {
            ike-policy ike-policy-azure;
            address $AZUREGWPUBLICIP
            external-interface ge-0/0/0.0;
            version v2-only;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 10;
            threshold 10;
        }
        proposal ipsec-proposal-azure {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 27000;
        }
        policy ipsec-policy-azure {
            proposals ipsec-proposal-azure;
        }
        vpn ipsec-vpn-azure {
            bind-interface st0.0;
            vpn-monitor {
                optimized;
            }
            ike {
                gateway ike-gate-azure;
                ipsec-policy ipsec-policy-azure;
            }
            establish-tunnels immediately;
        }
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1350;
            }
            ipsec-vpn {
                mss 1350;
            }
        }
    }


There are also security rules/policies to allow traffic to/from the vpn and a route for 192,168.10.0/23 pointing to st0.0.

The Problem:

PS C:\windows\system32> ping -l 1500 192.168.10.20

Pinging 192.168.10.20 with 1500 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.10.20:
    Packets: Sent = 4 Received = 0, Lost = 4 (100% loss),
Control-C
PS C:\windows\system32> ping -l 1400 192.168.10.20

Pinging 192.168.10.20 with 1400 bytes of data:
Reply from 192.168.10.20: bytes=1400 time=8ms TTL=127
Reply from 192.168.10.20: bytes=1400 time=7ms TTL=127

Ping statistics for 192.168.10.20:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 8ms, Average = 7ms

SMB traffic to Azure hosts is also affected.

When running wireshark on the azure host I see a bunch of fragments and fragment reassembly time exceeded.
https://i.imgur.com/3c2c6uE.png

Best Answer

set security ipsec vpn ipsec-vpn-azure df-bit copy

This resolves the above described issue.

Related Topic