Skip to main content

IPsec MTU Varies By Encryption Algorythm

(2024-11-13)

Stronger encryption algorithms equals to lower MTU values.

For example, the FortiGate sets an IPsec tunnel Maximum Transmission Unit (MTU) of:

  • 1446 for 3des-sha1,

  • 1438 for aes256-sha256, aes192-sha256, aes128-sha1, aes128-sha256

  • 1422 for aes256-sha384, aes256-sha512, aes192-sha384

In case of NAT-T

  • 1438 for 3des-sha1

  • 1422 for aes256-sha256, aes256-sha384, aes192-sha256, aes192-sha384, aes128-sha1, aes128-sha256

  • 1406 for aes256-sha512