Skip to main content

IPsec MTU Adjustments

MTU can be adjusted via three ways:

  1. Adjusting the MTU of the physical interface where the IPsec tunnel is bound to. This method will not only affect the VPN traffic but all traffic which is traversing the physical interface as well.

  2. Changing the encryption algorithms. Stronger encryption algorithms equals to lower MTU values.

  3. Adjusting the MTU of the ISPEC VPN interface using the command below (setting available from FortiOS 6.4).

# config system interface
    edit <Phase 1 name>
        set mtu-override enable 
        set mtu 1400
    end
end

If the packet size is greater than the tunnel’s MTU, DF-bit is honored and the IPsec engine drops the packet and the error counters will be increased.

This behavior can be changed with the command:

set honor-df [enable|disable]  // Default=enable

If the honor-df field is set to disable, then FortiOS will ignore the packet’s DF-bit settings by encapsulating and encrypting it.

Since the encapsulated packet size will be large enough to exceed the allowed MTU, FortiOS will perform post IPsec fragmentation.