IPsec MTU Adjustments
MTU can be adjusted via three ways:
-
Adjusting the MTU of the physical interface where the IPsec tunnel is bound to. This method will not only affect the VPN traffic but all traffic which is traversing the physical interface as well.
-
Changing the encryption algorithms. Stronger encryption algorithms equals to lower MTU values.
-
Adjusting the MTU of the ISPEC VPN interface using the command below (setting available from FortiOS 6.4).
# config system interface
edit <Phase 1 name>
set mtu-override enable
set mtu 1400
end
end
If the packet size is greater than the tunnel’s MTU, DF-bit is honored and the IPsec engine drops the packet and the error counters will be increased.
This behavior can be changed with the command:
set honor-df [enable|disable] // Default=enable
If the honor-df field is set to disable, then FortiOS will ignore the packet’s DF-bit settings by encapsulating and encrypting it.
Since the encapsulated packet size will be large enough to exceed the allowed MTU, FortiOS will perform post IPsec fragmentation.