Technical Tip: MTU override of IPsec VPN interface

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 193388

Description

This article describes how to override the MTU of an IPSec VPN Interface from CLI.

By default, the MTU of an IPsec VPN Interface is dynamically calculated. Before v6.4.0, the user will not be able to manually override. From v6.4.0, the user can override the MTU of an IPSec VPN Interface.

Scope

FortiGate.

Solution

From CLI:

config system interface
edit ipsec-tunnel-1 <------ Replaces withthe tunnel interface name.
        set mtu-override enable/disable
        set mtu 1400 <------- Set the desired MTU settings.
    end
end

To check if the MTU size has changed, use one of the following commands:

fnsysctl ifconfig < Phase-1 name> (For eg-> ipsec-tunnel-1 )

diagnose vpn tunnel list

Output:

ipsec-tunnel-1 Link encap:Unknown

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1

RX packets:405 errors:0 dropped:0 overruns:0 frame:0

TX packets:373 errors:58373915 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:25196 (24.6 KB) TX bytes:22380 (21.9 KB)

73325

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: MTU override of IPsec VPN interface

You are leaving our website