\u5982\u679c\u4f60\u5728\u7528 GRE over IPSec \u96a7\u9053\uff0c\u53d1\u73b0\u5927\u6587\u4ef6\u4f20\u8f93\u901f\u5ea6\u5f02\u5e38\u4f4e\uff08\u6807\u79f0\u5343\u5146\u53ea\u80fd\u8dd1\u5230 200-300Mbps\uff09\uff0c\u5148\u522b\u6025\u7740\u52a0\u5e26\u5bbd\u3001\u6362\u8bbe\u5907\u3001\u67e5 QoS<\/strong>\uff0c\u628a\u96a7\u9053\u4e24\u7aef\u7684 MTU \u548c MSS \u94b3\u5236\u914d\u7f6e\u634b\u4e00\u904d\uff0c\u5927\u6982\u7387\u5c31\u662f\u8fd9\u513f\u51fa\u95ee\u9898\u3002<\/p>\n \u6211\u8e29\u8fc7\u7684\u5751\u544a\u8bc9\u6211\uff1a\u8fd9\u4e2a\u95ee\u9898\u7684\u6839\u672c\u539f\u56e0\u662f\u96a7\u9053\u5d4c\u5957\u540e\u7684\u534f\u8bae\u5934\u5f00\u9500\u6ca1\u6709\u7eb3\u5165 MTU \u8ba1\u7b97<\/strong>\uff0c\u6570\u636e\u5305\u5728\u7a7f\u8d8a\u96a7\u9053\u65f6\u88ab\u4e8c\u6b21\u5206\u7247\uff0c\u5185\u6838\u7684\u91cd\u7ec4\u548c\u91cd\u4f20\u628a\u6027\u80fd\u62d6\u57ae\u4e86\u3002\u4e0b\u9762\u662f\u5b8c\u6574\u7684\u6392\u67e5\u548c\u4fee\u590d\u8fc7\u7a0b\u3002<\/p>\n \u6211\u4eec\u6709\u4e2a\u8de8\u5730\u57df\u7ad9\u70b9\u4e92\u8054\u7684\u9879\u76ee\uff0cSite A\uff08\u4e0a\u6d77\u6570\u636e\u4e2d\u5fc3\uff09\u548c Site B\uff08\u5e7f\u5dde\u529e\u516c\u5ba4\uff09\u4e4b\u95f4\u9700\u8981\u52a0\u5bc6\u4e92\u901a\u3002\u62d3\u6251\u7b80\u5316\u5982\u4e0b\uff1a<\/p>\n \u7269\u7406\u94fe\u8def\u662f\u4e24\u5bb6\u8fd0\u8425\u5546\u7684\u4e13\u7ebf\uff0cWAN \u4fa7 MTU 1500\uff0c\u6ca1\u4ec0\u4e48\u7279\u522b\u7684\u3002\u4e1a\u52a1\u65b9\u8981\u6c42\u5728\u96a7\u9053\u91cc\u8dd1\u6587\u4ef6\u5171\u4eab\u548c\u6570\u636e\u5e93\u540c\u6b65\uff0c\u5bf9\u541e\u5410\u91cf\u6709\u660e\u786e\u8981\u6c42\uff08\u4e0d\u4f4e\u4e8e\u94fe\u8def\u6807\u79f0\u5e26\u5bbd\u7684 80%\uff09\u3002<\/p>\n \u73af\u5883\u7ea6\u675f\uff1a<\/strong><\/p>\n \u96a7\u9053\u5efa\u7acb\u540e\uff0c\u57fa\u7840\u8fde\u901a\u6027\u6ca1\u95ee\u9898\u3002<\/p>\n \u4f46\u7528\u5927\u5305\u6d4b\uff0c\u6216\u8005\u76f4\u63a5\u8dd1\u6587\u4ef6\u62f7\u8d1d\uff0c\u901f\u5ea6\u76f4\u63a5\u8170\u65a9\uff1a<\/p>\n \u4e1a\u52a1\u65b9\u53cd\u9988\uff1a\u6587\u4ef6\u5171\u4eab\u4e0b\u8f7d\u4e00\u4e2a 500MB \u7684\u955c\u50cf\uff0c\u8981\u8dd1\u5c06\u8fd1 15 \u79d2\uff0c\u6b63\u5e38\u5e94\u8be5 4-5 \u79d2\u3002\u7528\u6237\u6295\u8bc9\u8bf4”\u7f51\u7edc\u6162”\uff0c\u4f46\u6211\u4eec\u770b\u94fe\u8def\u5229\u7528\u7387\u53ea\u6709 30%\uff0c\u660e\u663e\u4e0d\u5bf9\u3002<\/p>\n \u5f71\u54cd\u9762\uff1a<\/strong><\/p>\n \u5148\u786e\u8ba4\u4e0d\u662f\u786c\u4ef6\u95ee\u9898\u3002<\/p>\n CPU \u4f7f\u7528\u7387\u5f88\u4f4e\uff0c\u6ca1\u6709\u5355\u6838\u74f6\u9888\u3002\u7f51\u7edc\u4e2d\u65ad\u5206\u5e03\u5747\u5300\uff0c\u8bf4\u660e\u8d1f\u8f7d\u5747\u8861\u6b63\u5e38\u3002<\/p>\n \u7528\u5927\u5305 ping \u8bd5\u8bd5\uff0c\u770b\u6709\u6ca1\u6709\u4e22\u5305\u6216\u5206\u7247\u3002<\/p>\n \u6ce8\u610f\u8fd9\u4e2a\u9519\u8bef\uff1aFragmentation needed<\/strong>\uff0c\u8bf4\u660e 1400 \u5b57\u8282\u7684\u6570\u636e\u5305\u9700\u8981\u5206\u7247\uff0c\u4f46 DF\uff08Don’t Fragment\uff09\u4f4d\u88ab\u8bbe\u7f6e\u4e86\uff0c\u8bbe\u5907\u76f4\u63a5\u62d2\u7edd\u8f6c\u53d1\u3002<\/p>\n \u6293\u5305\u9a8c\u8bc1\uff1a<\/p>\n \u6293\u5305\u7ed3\u679c\u663e\u793a\uff1a<\/p>\n \u603b\u957f\u5ea6 = 1460 + 24(GRE) + 56(ESP) + 20(\u5916\u5c42IP) = 1560 \u5b57\u8282<\/strong><\/p>\n \u8d85\u8fc7 WAN \u4fa7\u7684 MTU 1500\uff0c\u6240\u4ee5\u6570\u636e\u5305\u88ab\u5206\u7247\u3002\u4f46\u5206\u7247\u53d1\u751f\u5728\u52a0\u5bc6\u4e4b\u540e\uff0c\u800c IPSec ESP \u4e0d\u652f\u6301\u5206\u7247\uff08\u56e0\u4e3a\u6570\u636e\u88ab\u52a0\u5bc6\u4e86\uff0c\u8bbe\u5907\u65e0\u6cd5\u8bc6\u522b\u4e0a\u5c42\u534f\u8bae\uff09\uff0c\u4e8e\u662f\u6570\u636e\u5305\u76f4\u63a5\u88ab\u4e22\u5f03\u3002<\/p>\n \u8ba9\u6211\u628a\u8fd9\u4e2a\u8d26\u7b97\u6e05\u695a\uff1a<\/p>\n \u8fd9\u5c31\u662f\u95ee\u9898\u6240\u5728\uff1a\u6211\u4eec\u7684 TCP \u8fde\u63a5\u5728\u4e09\u6b21\u63e1\u624b\u65f6\u534f\u5546\u7684 MSS \u8fd8\u662f 1460\uff08\u57fa\u4e8e\u5185\u5c42\u7f51\u7edc\u7684 MTU\uff09\uff0c\u4f46\u5b9e\u9645\u6570\u636e\u5305\u7a7f\u8d8a GRE over IPSec \u96a7\u9053\u540e\uff0c\u4f53\u79ef\u81a8\u80c0\u5230 1560+\uff0c\u8bbe\u5907\u6839\u672c\u5904\u7406\u4e0d\u4e86\u3002<\/p>\n \u65b9\u6848 A\uff1a\u589e\u5927\u7269\u7406\u63a5\u53e3 MTU\uff08\u5982\u8bbe\u4e3a 9000 Jumbo Frame\uff09<\/strong><\/p>\n \u7406\u8bba\u4e0a\u53ef\u884c\uff0c\u4f46\u9700\u8981\u534f\u8c03\u8fd0\u8425\u5546\uff0c\u800c\u4e14\u4e24\u7aef\u7684\u7f51\u7edc\u8bbe\u5907\u90fd\u8981\u6539\uff0c\u98ce\u9669\u8f83\u9ad8\u3002PASS\u3002<\/p>\n \u65b9\u6848 B\uff1a\u624b\u52a8\u8bbe\u7f6e GRE \u96a7\u9053\u7684 MTU<\/strong><\/p>\n \u8fd9\u80fd\u8ba9\u5e94\u7528\u5c42\u6570\u636e\u5728\u8fdb\u5165 GRE \u96a7\u9053\u524d\u88ab\u5206\u7247\uff0c\u4f46\u95ee\u9898\u662f\uff1a<\/p>\n \u65b9\u6848 C\uff1a\u914d\u7f6e TCP MSS \u94b3\u5236\uff08\u63a8\u8350\uff09<\/strong><\/p>\n \u5728\u4e24\u7aef\u9632\u706b\u5899\u4e0a\u914d\u7f6e iptables\uff0c\u9488\u5bf9\u7a7f\u8d8a\u96a7\u9053\u7684\u6570\u636e\u5305\u4fee\u6539 TCP MSS \u503c\uff1a<\/p>\n \u8fd9\u6837\u4e09\u6b21\u63e1\u624b\u65f6\uff0c\u53cc\u65b9\u4f1a\u57fa\u4e8e MSS 1380 \u534f\u5546\u7a97\u53e3\u5927\u5c0f\uff0c\u540e\u7eed\u6570\u636e\u5305\u5c31\u4e0d\u4f1a\u8d85\u8fc7\u96a7\u9053\u627f\u8f7d\u80fd\u529b\u3002<\/p>\n \u4e3a\u4ec0\u4e48\u9009\u65b9\u6848 C\uff1a<\/strong><\/p>\n IPSec ESP \u5728\u4f20\u8f93\u6a21\u5f0f\u4e0b\uff0c\u7406\u8bba\u4e0a\u4e0d\u5e94\u8be5\u5206\u7247\uff0c\u4f46\u5982\u679c\u5e95\u5c42\u94fe\u8def\u7684 MTU \u8bbe\u7f6e\u4e0d\u5bf9\uff0c\u8fd8\u662f\u4f1a\u51fa\u95ee\u9898\u3002\u786e\u8ba4\u7269\u7406\u53e3\u7684 MTU \u662f 1500\uff08\u6807\u51c6\u503c\uff09\uff1a<\/p>\n \u4f18\u5316\u524d\u540e\u5bf9\u6bd4\uff1a<\/strong><\/p>\n tcpdump \u89c2\u5bdf\u5230\u7684\u53d8\u5316\uff1a<\/strong><\/p>\n \u4f18\u5316\u524d\uff1a<\/p>\n \u4f18\u5316\u540e\uff1a<\/p>\n TCP MSS \u94b3\u5236\u5fc5\u987b\u53cc\u5411\u914d\u7f6e<\/strong>\uff0c\u6216\u8005\u81f3\u5c11\u8ba9\u53d1\u8d77\u65b9\u7684\u89c4\u5219\u751f\u6548\u3002\u5982\u679c\u4f60\u53ea\u5728\u4e00\u7aef\u914d\u7f6e\u4e86 MSS 1380\uff0c\u4f46\u53e6\u4e00\u7aef\u56de\u590d\u65f6\u8fd8\u662f\u7528 MSS 1460 \u534f\u5546\uff0c\u5927\u5305\u8fd8\u662f\u4f1a\u51fa\u95ee\u9898\u3002<\/p>\n \u9a8c\u8bc1\u65b9\u6cd5\uff1a<\/strong><\/p>\n MSS \u94b3\u5236\u53ea\u7ba1\u4e09\u6b21\u63e1\u624b\u65f6\u7684\u534f\u5546\u503c\uff0c\u4e0d\u6539\u53d8\u5b9e\u9645\u6570\u636e\u5305\u7684 MTU<\/strong>\u3002\u5982\u679c\u4f60\u7684\u5e94\u7528\u76f4\u63a5\u53d1 UDP \u5927\u5305\uff0c\u8fd8\u662f\u4f1a\u89e6\u53d1\u5206\u7247\u3002<\/p>\n GRE \u96a7\u9053\u9ed8\u8ba4\u4f1a\u53d1 Keepalive \u5305\uff0c\u5982\u679c\u96a7\u9053 MTU \u8bbe\u7f6e\u4e0d\u5f53\uff0cKeepalive \u4e5f\u4f1a\u88ab\u5206\u7247\u6216\u4e22\u5f03\uff0c\u5bfc\u81f4\u96a7\u9053\u4e0d\u7a33\u5b9a\u3002<\/p>\n \u6709\u4e9b\u9632\u706b\u5899\u4f1a\u4e22\u5f03 ICMP “Fragmentation Needed” \u6d88\u606f\uff0c\u5bfc\u81f4\u8def\u5f84 MTU \u53d1\u73b0\u5931\u6548\u3002\u786e\u8ba4\u4e24\u7aef\u8bbe\u5907\u7684 ICMP \u4e0d\u8981\u88ab ACL \u62e6\u6389\uff1a<\/p>\n ESP \u52a0\u5bc6\u6709\u5757\u5927\u5c0f\u5bf9\u9f50\u8981\u6c42\uff08AES \u9700\u8981 16 \u5b57\u8282\u5bf9\u9f50\uff09\uff0cpadding \u53ef\u80fd\u989d\u5916\u589e\u52a0 1-16 \u5b57\u8282\u3002\u5982\u679c\u4f60\u7684\u6570\u636e\u521a\u597d\u8e29\u5728\u8fb9\u754c\u4e0a\uff0c\u53ef\u80fd\u56e0\u4e3a padding \u5bfc\u81f4\u6574\u4f53\u8d85\u8fc7 MTU\u3002<\/p>\n \u6211\u7684\u7ecf\u9a8c\u503c\uff1a<\/strong><\/p>\n \u4fdd\u5b88\u8d77\u89c1\uff0c\u6211\u4e00\u822c\u53d6 1360\uff0c\u7559 20 \u5b57\u8282\u4f59\u91cf\u3002<\/p>\n \u914d\u7f6e\u4e0a\u7ebf\u540e\uff0c\u5efa\u8bae\u6301\u7eed\u89c2\u5bdf\u4ee5\u4e0b\u6307\u6807\uff1a<\/p>\n \u5982\u679c\u6709\u6761\u4ef6\uff0c\u53ef\u4ee5\u7528 SmokePing \u6216 Prometheus + Grafana \u505a\u957f\u671f\u76d1\u63a7\uff0c\u89c2\u5bdf\u5927\u6587\u4ef6\u4f20\u8f93\u573a\u666f\u7684\u5ef6\u8fdf\u548c\u541e\u5410\u91cf\u662f\u5426\u7a33\u5b9a\u3002<\/p>\n GRE over IPSec \u96a7\u9053\u6027\u80fd\u5dee\u7684\u6839\u672c\u539f\u56e0\uff0c90% \u662f MTU \u914d\u7f6e\u95ee\u9898\u3002\u6838\u5fc3\u903b\u8f91\u5c31\u4e00\u53e5\u8bdd\uff1a\u96a7\u9053\u5d4c\u5957\u540e\u7684\u534f\u8bae\u5934\u4f1a\u5403\u6389 MTU \u7a7a\u95f4\uff0c\u5fc5\u987b\u901a\u8fc7 MSS \u94b3\u5236\u8ba9 TCP \u4e3b\u52a8\u964d\u901f<\/strong>\u3002<\/p>\n \u6392\u67e5\u601d\u8def\uff1a<\/p>\n \u522b\u5fd8\u4e86\uff1aMSS \u94b3\u5236\u53ea\u7ba1 TCP\uff0c\u4e09\u6b21\u63e1\u624b\u4e4b\u540e\u7684 UDP \u5305\u548c\u5176\u4ed6\u534f\u8bae\u8fd8\u662f\u8981\u9760\u6b63\u786e\u7684 MTU \u8bbe\u7f6e\u515c\u5e95\u3002<\/p>","protected":false},"excerpt":{"rendered":" \u96a7\u9053\u5efa\u7acb\u540e\u5c0f\u5305\u6b63\u5e38\u3001\u5927\u6587\u4ef6\u62c9\u80ef\uff0ciperf3\u6d4b\u901f\u53ea\u6709\u6807\u79f0\u5e26\u5bbd\u768430%\u3002\u6392\u67e5\u4e00\u5708\u53d1\u73b0\u4e0d\u662f\u8bbe\u5907\u6027\u80fd\u95ee\u9898\uff0c\u662fGRE\u5934+IPSec\u5934+\u53cc\u5c42IP\u5934\u52a0\u8d77\u6765\u628aMTU\u6491\u7206\u4e86\uff0c\u5185\u6838\u88ab\u8feb\u5728\u96a7\u9053\u91cc\u505a\u5206\u7247\uff0c\u6027\u80fd\u76f4\u63a5\u5d29\u7ed9\u4f60\u770b\u3002<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[468,7,10],"tags":[545,192,845,546,370,847,846],"class_list":["post-840","post","type-post","status-publish","format-standard","hentry","category-468","category-linux","category-10","tag-gre","tag-ipsec","tag-mss","tag-mtu","tag-370","tag-847","tag-846"],"views":20,"_links":{"self":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts\/840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=840"}],"version-history":[{"count":1,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts\/840\/revisions"}],"predecessor-version":[{"id":857,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=\/wp\/v2\/posts\/840\/revisions\/857"}],"wp:attachment":[{"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.liaoxinghui.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n\u4e1a\u52a1\u573a\u666f<\/h2>\n
Site A (10.10.1.0\/24) Site B (10.10.2.0\/24)\n | |\n eth0: 192.168.100.1 eth0: 192.168.101.1\n | |\n GRE Tunnel (10.10.10.1) ----> GRE Tunnel (10.10.10.2)\n | |\n IPSec Overlay (WAN) IPSec Overlay (WAN)<\/code><\/pre>\n\n
\n\u73b0\u8c61\u4e0e\u5f71\u54cd\u9762<\/h2>\n
# \u5c0f\u5305 ping\uff0c\u5b8c\u5168\u6b63\u5e38\n$ ping -c 100 10.10.10.2 -s 100\nPING 10.10.10.2 (10.10.10.2) 100(128) bytes of data.\n108 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=12.3 ms\n\n# iperf3 \u5c0f\u5305\u6d4b\u8bd5\uff0c\u63a5\u8fd1\u6807\u79f0\u5e26\u5bbd\n$ iperf3 -c 10.10.10.2 -t 30 -b 1G -l 1K\n[ ID] Interval Transfer Bandwidth\n[ 4] 0.00-30.00 sec 3.52 GBytes 1007 Mbits\/sec<\/code><\/pre>\n# iperf3 \u5927\u5305\u6d4b\u8bd5\uff0c\u5d29\u4e86\n$ iperf3 -c 10.10.10.2 -t 30 -b 1G -l 64K\n[ ID] Interval Transfer Bandwidth\n[ 4] 0.00-30.00 sec 1.09 GBytes 312 Mbits\/sec<\/code><\/pre>\n\n
\n\u6392\u67e5\u8def\u5f84<\/h2>\n
\u7b2c\u4e00\u6b65\uff1a\u6392\u9664\u8bbe\u5907\u6027\u80fd\u74f6\u9888<\/h3>\n
# Site A \u67e5\u770b CPU \u548c\u7f51\u7edc\u4e2d\u65ad\u5206\u5e03\n$ top -bn1 | grep -E "Cpu(s)|softirq"\n%Cpu(s): 8.3 us, 2.1 sy, 0.0 ni, 89.2 id\n$ cat \/proc\/interrupts | grep -E "eth0|ens" | awk '{print $1, $NF}'\n39: eth0-TxRx-0\n40: eth0-TxRx-1\n41: eth0-TxRx-2\n42: eth0-TxRx-3<\/code><\/pre>\n\u7b2c\u4e8c\u6b65\uff1atcpdump \u6293\u5305\u770b\u5f02\u5e38<\/h3>\n
# \u5927\u5305 ping\uff0c-M do \u8868\u793a\u4e0d\u5206\u7247\n$ ping -c 10 10.10.10.2 -s 1400 -M do\nPING 10.10.10.2 (10.10.10.2) 1400(1428) bytes of data.\n\nFrom 192.168.100.1: icmp_seq=1 Fragmentation needed.\nping: local error: message too long, fmt: Jumbogram has bad length<\/code><\/pre>\n# \u5728 GRE \u63a5\u53e3\u4e0a\u6293\u5305\n$ tcpdump -i gre0 -nn -v -c 20\n\n# \u540c\u65f6\u5728\u7269\u7406\u53e3\u6293 ESP \u5305\n$ tcpdump -i eth0 -nn -v host <Site B \u516c\u7f51IP> and esp<\/code><\/pre>\n\n
\u7b2c\u4e09\u6b65\uff1a\u8ba1\u7b97\u534f\u8bae\u6808\u5f00\u9500<\/h3>\n
\u6807\u51c6\u4ee5\u592a\u7f51 MTU: 1500 \u5b57\u8282\n\n\u5e94\u7528\u5c42\u6570\u636e (TCP MSS): 1460 \u5b57\u8282\nTCP \u5934: 20 \u5b57\u8282\n\u5185\u5c42 IP \u5934: 20 \u5b57\u8282\nGRE \u5c01\u88c5\u5934: 4 \u5b57\u8282 (Protocol Type: 0x0800)\nGRE \u5934 (Key \u53ef\u9009): 4 \u5b57\u8282\n\u5185\u5c42 IP \u5934 (\u96a7\u9053\u573a\u666f): 20 \u5b57\u8282\nIPSec ESP \u5934: ~8 \u5b57\u8282 (SPI + \u5e8f\u5217\u53f7)\nIPSec ESP IV: 16 \u5b57\u8282\nIPSec ESP Auth Tag: 12 \u5b57\u8282\nIPSec ESP Padding: 1-16 \u5b57\u8282\nIPSec ESP Tail: 2 \u5b57\u8282\n\u5916\u5c42 IP \u5934: 20 \u5b57\u8282\n\n\u603b\u8ba1\u534f\u8bae\u5f00\u9500: 24 + 8 + 16 + 12 + 20 = 80 \u5b57\u8282 (\u4fdd\u5b88\u4f30\u7b97)\n\n\u6700\u5927\u53ef\u627f\u8f7d\u7684\u5e94\u7528\u6570\u636e: 1500 - 80 - 40 = 1380 \u5b57\u8282 (\u5982\u679c\u5185\u5c42\u7528 IPv6\uff0c\u5c31\u662f 1360)\n\n\u4f46\u901a\u5e38\u6211\u4eec\u8bf4\u7684 MSS = 1460 = 1500 - 20(IP) - 20(TCP)\n\u6240\u4ee5\u9700\u8981 MSS \u94b3\u5236\u5230: 1500 - 80 = 1420 (\u4fdd\u5b88\u503c\u53d6 1400)<\/code><\/pre>\n
\n\u6700\u7ec8\u65b9\u6848<\/h2>\n
\u65b9\u6848\u53d6\u820d<\/h3>\n
# \u5728 GRE \u63a5\u53e3\u4e0a\u8bbe\u7f6e MTU\nip link set dev gre0 mtu 1400<\/code><\/pre>\n\n
# Site A (\u4e0a\u6d77)\niptables -t mangle -A FORWARD -p tcp --syn -s 10.10.1.0\/24 -d 10.10.2.0\/24 -j TCPMSS --set-mss 1380\niptables -t mangle -A FORWARD -p tcp --syn -d 10.10.1.0\/24 -s 10.10.2.0\/24 -j TCPMSS --set-mss 1380\n\n# \u6216\u8005\u66f4\u901a\u7528\u7684\u5199\u6cd5\uff08\u5339\u914d GRE \u96a7\u9053\u53e3\uff09\niptables -t mangle -A FORWARD -o gre0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380<\/code><\/pre>\n\n
\u5b8c\u6574\u914d\u7f6e\u6b65\u9aa4<\/h3>\n
1. \u8c03\u6574 GRE \u96a7\u9053 MTU<\/h4>\n
# Site A\nip link set dev gre0 mtu 1400\nip addr show gre0 | grep -E "mtu|inet"\n# inet 10.10.10.1\/30 scope global gre0\n# mtu 1400\n\n# Site B \u540c\u6837\u914d\u7f6e\nip link set dev gre0 mtu 1400<\/code><\/pre>\n2. \u914d\u7f6e iptables TCP MSS \u94b3\u5236<\/h4>\n
# Site A\ncat >> \/etc\/sysconfig\/iptables.mangle << 'EOF'\n*mangle\n# \u9650\u5236\u4ece\u5185\u7f51\u5230\u5bf9\u7aef\u5185\u7f51\u7684 TCP MSS\n-A FORWARD -p tcp --tcp-flags SYN,RST SYN -s 10.10.1.0\/24 -d 10.10.2.0\/24 -j TCPMSS --set-mss 1380\n# \u9650\u5236\u4ece\u5bf9\u7aef\u5185\u7f51\u5230\u672c\u7aef\u5185\u7f51\u7684 TCP MSS\n-A FORWARD -p tcp --tcp-flags SYN,RST SYN -d 10.10.1.0\/24 -s 10.10.2.0\/24 -j TCPMSS --set-mss 1380\nCOMMIT\nEOF\n\n# \u52a0\u8f7d\u89c4\u5219\niptables-restore < \/etc\/sysconfig\/iptables.mangle\n\n# Site B \u540c\u6837\u914d\u7f6e\uff0c\u53ea\u662f\u7f51\u6bb5\u4e92\u6362<\/code><\/pre>\n3. \u5982\u679c\u4f7f\u7528 Cisco ISR 4331<\/h4>\n
! \u5728\u96a7\u9053\u63a5\u53e3\u4e0a\u914d\u7f6e\ninterface Tunnel0\n ip mtu 1380\n ip tcp adjust-mss 1360\n!\n! \u5728\u7269\u7406\u51fa\u53e3\u914d\u7f6e ACL\uff0c\u914d\u5408 MPF\nip access-list extended MSS_FIX\n permit gre host <Site A WAN IP> host <Site B WAN IP>\n permit esp host <Site A WAN IP> host <Site B WAN IP>\n!\nclass-map match-all MSS_FIX_CLASS\n match access-group name MSS_FIX\n!\npolicy-map MSS_FIX_POLICY\n class MSS_FIX_CLASS\n set tcp adjust-mss 1360\n!\ninterface GigabitEthernet0\/0\/1\n service-policy output MSS_FIX_POLICY<\/code><\/pre>\n4. \u786e\u8ba4 IPSec \u6ca1\u6709\u622a\u65ad\u5206\u7247<\/h4>\n
# \u786e\u8ba4 MTU\nip link show eth0 | grep mtu\n# mtu 1500\n\n# \u6d4b\u8bd5\u8def\u5f84 MTU\n$ tracepath -m 5 10.10.10.2\n 1?: [LOCALHOST] pmtu 1500\n 1: no reply\n 2: <Site B \u516c\u7f51IP> 1502\n Resume: pmtu 1500<\/code><\/pre>\n
\n\u9a8c\u8bc1\u4e0e\u8bc4\u4f30<\/h2>\n
\u9a8c\u8bc1\u65b9\u6cd5<\/h3>\n
1. ping \u5927\u5305\u6d4b\u8bd5<\/h4>\n
# \u4e4b\u524d 1400 \u62a5 Fragmentation needed\uff0c\u73b0\u5728 1400 \u5e94\u8be5\u6b63\u5e38\n$ ping -c 10 10.10.10.2 -s 1400 -M do\nPING 10.10.10.2 (10.10.10.2) 1400(1428) bytes of data.\n1408 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=13.1 ms\n\n# \u7ee7\u7eed\u5f80\u4e0a\u63a2\uff0c1472 \u5e94\u8be5\u521a\u597d\u89e6\u53d1\u95ee\u9898\uff081472 + 20 + 8 = 1500\uff0c\u63a5\u8fd1\u8fb9\u754c\uff09\n$ ping -c 5 10.10.10.2 -s 1472 -M do\n# \u8fd9\u4e2a\u5e94\u8be5\u8fd8\u662f\u80fd\u8fc7\n\n# 1500+ \u7684\u5305\u4f1a\u600e\u6837\n$ ping -c 5 10.10.10.2 -s 1473 -M do\n# \u8fd9\u4e2a\u5e94\u8be5\u5931\u8d25<\/code><\/pre>\n2. tcpdump \u786e\u8ba4 MSS \u94b3\u5236\u751f\u6548<\/h4>\n
# \u6293\u53d6 SYN \u5305\uff0c\u786e\u8ba4 MSS \u503c\n$ tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0' -c 10\n\n# \u6b63\u5e38\u5e94\u8be5\u770b\u5230 Mss 1380 \u6216 1360\uff0c\u800c\u4e0d\u662f 1460\n# 18:32:15.123456 IP 10.10.1.10.45678 > 10.10.2.20.80: Flags [S], seq 12345, win 65535, options [mss 1380, ...]<\/code><\/pre>\n3. iperf3 \u5e26\u5bbd\u5bf9\u6bd4<\/h4>\n
# Server \u7aef\uff08Site B\uff09\n$ iperf3 -s -i 1\n\n# Client \u7aef\uff08Site A\uff09\n$ iperf3 -c 10.10.10.2 -t 60 -P 4 -b 1G -l 64K<\/code><\/pre>\n\n\n
\n \n\u6d4b\u8bd5\u573a\u666f<\/th>\n \u4f18\u5316\u524d<\/th>\n \u4f18\u5316\u540e<\/th>\n \u63d0\u5347<\/th>\n<\/tr>\n<\/thead>\n \n iperf3 -l 64K (4\u5e76\u53d1)<\/td>\n 312 Mbps<\/td>\n 942 Mbps<\/td>\n 202%<\/td>\n<\/tr>\n \n iperf3 -l 16K (\u5355\u5e76\u53d1)<\/td>\n 287 Mbps<\/td>\n 918 Mbps<\/td>\n 220%<\/td>\n<\/tr>\n \n \u5927\u6587\u4ef6 SCP (500MB)<\/td>\n ~4.2 MB\/s<\/td>\n ~11.8 MB\/s<\/td>\n 181%<\/td>\n<\/tr>\n \n TCP \u91cd\u4f20\u7387<\/td>\n 3.2%<\/td>\n 0.15%<\/td>\n \u964d\u4f4e\u4e86 95%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n
\n
\n\u5e38\u89c1\u5751<\/h2>\n
\u5751 1\uff1a\u53ea\u6539\u4e00\u8fb9<\/h3>\n
# \u5728 Site A \u6293 SYN \u5305\n$ tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0' | grep -o "mss [0-9]*"\n# \u786e\u8ba4\u4e24\u4e2a\u65b9\u5411\u90fd\u662f 1380<\/code><\/pre>\n\u5751 2\uff1aMTU \u548c MSS \u50bb\u50bb\u5206\u4e0d\u6e05<\/h3>\n
\n
\u5751 3\uff1a\u5ffd\u7565 GRE Keepalive \u7684\u5f71\u54cd<\/h3>\n
# \u67e5\u770b GRE Keepalive \u914d\u7f6e\n$ ip -d link show gre0\n# \u5982\u679c\u6709 keepalive \u914d\u7f6e\uff0c\u786e\u8ba4\u5305\u5927\u5c0f\u4e0d\u8d85\u8fc7 MTU<\/code><\/pre>\n\u5751 4\uff1a\u8def\u5f84 MTU \u53d1\u73b0\uff08PMTUD\uff09\u88ab\u9632\u706b\u5899\u963b\u65ad<\/h3>\n
# Cisco \u8bbe\u5907\nshow access-lists | include ICMP\n# \u786e\u8ba4\u6709\u7c7b\u4f3c "permit icmp any any time-exceeded" \u7684\u89c4\u5219<\/code><\/pre>\n\u5751 5\uff1aIPSec \u7684 padding \u5bfc\u81f4\u989d\u5916\u5f00\u9500<\/h3>\n
\n\n
\n \n\u96a7\u9053\u7c7b\u578b<\/th>\n \u63a8\u8350 MSS \u94b3\u5236\u503c<\/th>\n<\/tr>\n<\/thead>\n \n \u7eaf GRE<\/td>\n 1460<\/td>\n<\/tr>\n \n GRE over IPSec (ESP-AES-128)<\/td>\n 1380<\/td>\n<\/tr>\n \n GRE over IPSec (ESP-AES-256 + SHA512)<\/td>\n 1360<\/td>\n<\/tr>\n \n IPSec \u96a7\u9053\u6a21\u5f0f (\u5e26\u65b0 IP \u5934)<\/td>\n 1340<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\u4e0a\u7ebf\u89c2\u5bdf\u6307\u6807<\/h2>\n
# 1. \u7f51\u7edc\u4e22\u5305\u548c\u91cd\u4f20\n$ sar -n EDEV 1 | grep -E "TCP|tcp"\n# \u5173\u6ce8 retrans\/s \u548c failed\/s\n\n# 2. GRE \u96a7\u9053\u72b6\u6001\n$ ip -s tunnel show\n# \u786e\u8ba4\u6ca1\u6709 errors \u548c drops\n\n# 3. iptables mangle \u8ba1\u6570\u5668\n$ iptables -t mangle -L FORWARD -v -n\n# \u786e\u8ba4 TCPMSS \u89c4\u5219\u6709\u547d\u4e2d\u8ba1\u6570\n\n# 4. \u5e26\u5bbd\u5229\u7528\u7387\n$ iftop -i gre0 -B<\/code><\/pre>\n
\n\u603b\u7ed3<\/h2>\n
\n
ping -M do -s 1400<\/code> \u786e\u8ba4\u662f\u4e0d\u662f MTU \u95ee\u9898<\/li>\ntcpdump -i gre0 -nn -v<\/code> \u770b\u6709\u6ca1\u6709\u5206\u7247\u548c\u91cd\u4f20<\/li>\n