Description
This article describes how to override the MTU of an IPSec VPN Interface from CLI.
By default, the MTU of an IPsec VPN Interface is dynamically calculated. Before v6.4.0, the user will not be able to manually override. From v6.4.0, the user can override the MTU of an IPSec VPN Interface.
Scope
FortiGate.
Solution
From CLI:
config system interface
edit ipsec-tunnel-1 <------ Replaces withthe tunnel interface name.
set mtu-override enable/disable
set mtu 1400 <------- Set the desired MTU settings.
end
end
To check the MTU size changed use the following command:
fnsysctl ifconfig < Phase-1 name> (For eg-> ipsec-tunnel-1 )
Output:
ipsec-tunnel-1 Link encap:Unknown
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:405 errors:0 dropped:0 overruns:0 frame:0
TX packets:373 errors:58373915 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25196 (24.6 KB) TX bytes:22380 (21.9 KB)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.