Description |
This article describes technical information on how the packet is treated with respect to fragmentation when such a packet is to traverse an IPSec tunnel Interface, but the packet exceeds referenced MTU size. |
Scope | FortiOS. |
Solution |
Assume an MTU size of 1100 bytes for this article.
IP fragmentation is the process of splitting packets into smaller pieces (fragments) so they can pass through a link (interface) with a smaller MTU size than the original packet. There are a number of factors to consider when the intention is to make an oversized IP packet successfully traverse an IPSec tunnel utilizing fragmentation.
Let's look at these factors/scenarios one by one:
A DF bit is a bit within the IP header, that instructs devices (as packet journeys from source to destination) whether fragmentation of this IP packet is allowed or not. DF = 1 (Fragmentation is NOT allowed). DF = 0 (Fragmentation is allowed, if necessary).
By default, FortiOS is set to honor the DF bit. This means if the DF bit (in the IP header) on the IP packet is set to 1 or ON, FortiGate will not fragment those IP packets larger than the MTU size of the interface the packet is traversing. A packet size of 1500 bytes on an interface of 1100 bytes MTU for instance, will be dropped in this scenario. Concerning honoring the DF bit value, below is FortiGate's default setting.
config system global set honor-df enable <----- This means honoring whatever DF bit is set on the packet. (Default value) end
If wanting the packet fragmented on FortiGate irrespective of the DF bit value, then it is necessary to disable the 'honor-df'.
For fragmentation to take place in this case, it is necessary to change to pre-encapsulation under IPSec phase1-interface settings.
config vpn ipsec phase1-interface edit <name> set ip-fragmentation pre-encapsulation end
This assumes the DF bit is off (0).
But be aware that this will affect ALL packets passing through this physical interface and not only the IPSec bound or encrypted packets. If the DF bit is set to 1 or ON, and honor-df is enabled, the packet will be dropped.
Details on pre or post-encapsulation ip-fragmentation. The default ip-fragmentation setting is post-encapsulation as that is RFC compliant. With post-encapsulation ip-fragmentation, the IP packet is already 'wrapped up' with the IPSec header before being fragmented, resulting in just one fragmented packet carrying the IP header while the rest of the fragments are payloads. The opposite is the case for pre-encapsulation, each fragmented packet(s) is with an IP header. Below is how to set ip-fragmentation method to pre or post.
config vpn ipsec phase1-interface edit <name> set ip-fragmentation ? pre-encapsulation <----- Fragment before IPsec encapsulation. post-encapsulation <----- Fragment after IPsec encapsulation. ... end
Fragmentation can be verified by running in CLI 'diagnose vpn tunnel list':
After encapsulation:
bound_if=9 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0
Before encapsulation:
bound_if=9 lgwy=static/1 tun=intf mode=auto/1 encap=none/40 options[0028]=npu run_state=0 role=sync-primary accept_traffic=1 overlay_id=0
If the goal is fragmenting with the default ip-fragmentation setting under IPsec phase 1 (post-encap), it is necessary to know that the MTU defined under the IPSec tunnel interface has no effect on post-encap method.
Therefore, to fragment to an MTU size of 1100 bytes with post-encap method for instance, it is necessary to define this value on the physical interface, which the IPSec tunnel is configured. If the goal is to have only IPSec traffic impacted, then change the ip-frag method to pre-encap.
In the below IPSec config, the wan1 MTU size needs to be defined or set to 1100, for IP fragmentation to work with post-encapsulation:
config vpn ipsec phase1-interface edit "IPSec-VPN" set interface "wan1" <----- Need to set MTU size on this port to 1100. set peertype any set net-device disable set proposal aes128-sha256 set remote-gw 10.10.10.10 set psksecret xxxxxxxx next end
If it performs acceptably with the pre-encapsulation method, set the MTU size on the IPSec tunnel interface as shown below.
config system interface edit "IPSec-VPN" set vdom "root" set type tunnel set mtu-override enable set mtu 1100 set interface "wan1" next end
To check the MTU size of an interface, use 'diag netlink interface list <name>'.
diag netlink interface list IPSec-VPN if=IPSec-VPN family=00 type=768 index=28 mtu=1100 link=0 master=0 ref=13 state=start present fw_flags=0 flags=up p2p run noarp multicast
Note: If the desired or expected frag results are not obtained, check if the IP packet DF bit is ON, or if FortiOS honor-df is enabled. Change the settings until the desired frag result is achieved. Capturing and analyzing the packets with Wireshark will provide a detailed picture of what is taking place. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.