Configuring the DF bit of IPsec packets
About DF bit configuration for IPsec packets
Perform this task to configure the Don't Fragment (DF) bit in the new IP header of IPsec packets in one of the following ways:
clear—Clears the DF bit in the new header.
set—Sets the DF bit in the new header.
copy—Copies the DF bit in the original IP header to the new IP header.
You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting.
Restrictions and guidelines for DF bit configuration for IPsec packets
The DF bit setting takes effect only in tunnel mode, and it changes the DF bit in the new IP header rather than the original IP header.
Configure the same DF bit setting on the interfaces where the same IPsec policy bound to a source interface is applied.
If the DF bit is set, the devices on the path cannot fragment the IPsec packets. To prevent IPsec packets from being discarded, make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.
Configuring the DF bit of IPsec packets on an interface
Enter system view.
system-view
Enter interface view.
interface interface-type interface-number
Configure the DF bit of IPsec packets on the interface.
ipsec df-bit { clear | copy | set }
By default, the interface uses the global DF bit setting.
Configuring the DF bit of IPsec packets globally
Enter system view.
system-view
Configure the DF bit of IPsec packets globally.
ipsec global-df-bit { clear | copy | set }
By default, IPsec copies the DF bit in the original IP header to the new IP header.