Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff

Created on ‎05-20-2020 12:31 AM Edited on ‎03-04-2025 10:15 PM By Community Manager

Article Id 193388

Technical Tip: MTU override of IPsec VPN interface

Description

 

This article describes how to override the MTU of an IPSec VPN Interface from CLI.

 

By default, the MTU of an IPsec VPN Interface is dynamically calculated. Before v6.4.0, the user will not be able to manually override. From v6.4.0, the user can override the MTU of an IPSec VPN Interface.

 

Scope

 

FortiGate.

Solution


From CLI:

 

config system interface
    edit ipsec-tunnel-1  <------ Replaces withthe  tunnel interface name.
        set mtu-override enable/disable    
        set mtu 1400   <------- Set the desired MTU settings.
    end
end

 

To check the MTU size changed use the following command:

 

fnsysctl ifconfig  < Phase-1 name>   (For eg-> ipsec-tunnel-1 )

 

Output:

 

ipsec-tunnel-1   Link encap:Unknown 

        UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1 

        RX packets:405 errors:0 dropped:0 overruns:0 frame:0 

        TX packets:373 errors:58373915 dropped:0 overruns:0 carrier:0 

        collisions:0 txqueuelen:0 

        RX bytes:25196 (24.6 KB)  TX bytes:22380 (21.9 KB)  

69436
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.