Description
This article describes how the MTU is calculated for an IPSec VPN Interface on the FortiGate, as well as how it can be overridden/modified.
Scope
FortiGate.
Solution
First, it is essential to distinguish between two separate concepts for MTU and IPsec on the FortiGate: IPsec Interface MTU and IPsec Security Association (SA) MTU.
In previous versions of FortiOS (6.2 and older), FortiOS calculated both MTU values dynamically, and it was not possible for an administrator to manually define the MTU. As of FortiOS 6.4.0 and later, IPsec Interface MTU can be manually set on the IPsec tunnel interface configuration under config system interface:
config system interface
edit <VPN_Tunnel_Name>
set mtu-override [enable | disable] <----- It must first be set to 'enable' to show the next MTU option.
set mtu <68-9216> <----- Default is 1420 bytes, see the note further below regarding maximum configurable MTU for IPsec interfaces.
next
end
Notably, IPsec Interface MTU only affects local-out traffic from the FortiGate itself (such as running execute ping <ip_addr>), and it can be verified in the output of diagnose netlink interface list:
FortiGate # diagnose netlink interface list
[...]
if=<VPN_Tunnel_Name> family=00 type=768 index=41 mtu=1420 link=0 master=0
ref=16 state=start present fw_flags=12000000 flags=up p2p run noarp multicast
On the other hand, IPsec SA MTU is dynamically calculated based on both the Path MTU (PMTU) between the two VPN endpoints and the overhead required by the negotiated IPsec SA algorithms. This output is visible in the output of diagnose vpn tunnel list, and this MTU value affects end-device traffic passing through the FortiGate VPN tunnel (such as a large ICMP ping sent from an end-user's laptop).
FortiGate # diagnose vpn tunnel list
[...]
name=<VPN_Tunnel_Name> ver=2 serial=2 192.168.202.104:0->10.15.66.1:0 nexthop=192.168.202.1 tun_id=10.15.66.1 tun_id6=::10.15.66.1 dst_mtu=1500 dpd-link=on weight=1 bound_if=27 real_if=27 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=sync-primary accept_traffic=1 overlay_id=0
[...]
proxyid=advpn2 proto=0 sa=1 ref=3 serial=6 auto-negotiate adr
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=38005/0B replaywin=1024 <---- Calculated MTU based on Path MTU and IPsec encryption/authentication settings.
Key Note for manually increasing MTU for VPN Tunnels:
The maximum configurable MTU for an IPsec interface is limited based on the MTU of the VPN tunnel's parent interface. Ensure that the parent interface's MTU is overridden and increased first; otherwise, the VPN tunnel MTU cannot be increased. Additionally, keep in mind that IPsec SA MTU is automatically calculated based on the parent's MTU during tunnel setup (no manual adjustment required), whereas IPsec Interface MTU does require manual modification to take advantage of the change.
Additional Notes:
- Take care when adjusting MTU, especially when implementing jumbo frames (MTU > 1500 bytes). Ensure that ALL network devices between the two VPN endpoints can support the chosen MTU; otherwise, packet fragmentation can occur.
- In cases where the IPsec MTU is significantly smaller than the MTU of the local network, it is possible to lose TCP segments due to the maximum segment size (MSS) allowing for packets to exceed the IPsec MTU. To address this, use TCP MSS clamping to ensure that TCP segments passing over the VPN are limited to below the MTU (see: Technical Tip: Setting TCP MSS value).
Previous FortiOS versions would implicitly apply TCP MSS adjustments based on the IPsec tunnel MTU, but as of FortiOS 7.6.1 and later, this implicit behavior will no longer occur (in which case, admins may need to manually configure TCP MSS clamping).
Example - Jumbo Frames:
As an example, the following shows the before and after of setting an MTU of 9000 bytes on the 'wan1' parent interface for VPN tunnel 'advpn2':
Before:
FortiGate # diagnose netlink interface list advpn2 | grep mtu
if=advpn2 family=00 type=768 index=41 mtu=1420 link=0 master=0
FortiGate # diagnose vpn tunnel list name advpn2 | grep mtu
name=advpn2 ver=2 serial=2 192.168.202.104:0->10.15.66.1:0 nexthop=192.168.202.1 tun_id=10.15.66.1 tun_id6=::10.15.66.1 dst_mtu=1500 dpd-link=on weight=1
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=37071/0B replaywin=1024
Change:
config system interface
edit wan1
set mtu-override enable
set mtu 9000
next
end
After:
FortiGate # diagnose netlink inter list advpn2 | grep mtu
if=advpn2 family=00 type=768 index=41 mtu=1420 link=0 master=0 <----- No change unless VPN tunnel interface MTU is also manually overridden.
FortiGate # diagnose vpn tunnel list name advpn2 | grep mtu
name=advpn2 ver=2 serial=2 192.168.202.104:0->10.15.66.1:0 nexthop=192.168.202.1 tun_id=10.15.66.1 tun_id6=::10.15.66.1 dst_mtu=9000 dpd-link=on weight=1
SA: ref=6 options=1a227 type=00 soft=0 mtu=8926 expire=36602/0B replaywin=1024 <----- MTU updated based on parent interface's new MTU.
Related articles:
Technical Tip: How to adjust the Maximum Transmission Unit (MTU) value
Technical Tip: Setting TCP MSS value
Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained
