To configure a static IP address:

• Be sure to specify an IP address (not an interface name) as the local-address in the crypto list (see Configuring crypto lists)

• Within the interface context, specify the IP address and mask using the ip address command

  For example:

  Gxxx-001(config-if:FastEthernet 10/3)# ip address 192.168.49.1 25.255.255.0

To configure a dynamic IP address, see Dynamic local peer IP

The crypto ipsec minimal-pmtu command is intended for advanced users only. It sets the minimal PMTU value which can be applied to an SA when the Branch Gateway participates in Path MTU Discovery (PMTUD) for the tunnel pertaining to that SA.

The crypto ipsec df-bit command is intended for advanced users only. It sets the Do Not Fragment (DF) bit to either clear or copy mode:

• copy. The DF bit of the encapsulated packet is copied from the original packet, and PMTUD is maintained for the IPSec tunnel.

• clear. The DF bit of the encapsulated packet is never set, and PMTUD is not maintained for the IPSec tunnel. Packets traversing an IPSec tunnel are pre-fragmented according to the MTU of the SA, regardless of their DF bit. In case packets are fragmented, the DF bit is copied to every fragment of the original packet.