All Products
Search
Document Center

VPN Gateway:Configure MTUs

Last Updated:Jan 29, 2024

IPsec-VPN connections can be used to transmit packets that are fragmented, but cannot perform fragmentation or reassemble the fragments of packets. When you use IPsec-VPN, the IPsec protocol encrypts packets, which increases the packet size. The increased packet size may exceed the maximum transmission unit (MTU) of a network and affect the transmission of packets. This topic describes how to configure MTUs to ensure that packets can be transmitted as expected.

Principles

MTU注意事项

The preceding figure provides an example that can be used to describe the principles of MTU configurations. In this example, the data center is connected to a virtual private cloud (VPC) by using an IPsec-VPN connection. When the client accesses the VPC, packets are encrypted on the on-premises gateway device and transmitted to the Internet. The packets are transmitted to the VPN gateway by using the network devices that support Internet access, which are Router 2 and Router 3.

During the transmission of packets from the client to the VPN gateway, the packet size is limited by the following types of MTU:

  • User MTU

    The user MTU is the minimum MTU of all network device interfaces between the client and on-premises gateway device. The user MTU limits the size of packets that are sent by the client.

    In this example, the user MTU is the minimum MTU of the interfaces marked "1".

  • Public interface MTU

    The public interface MTU is the MTU of the public interface on the on-premises gateway device that is connected to the VPN gateway. The public interface MTU limits the size of encrypted packets.

    In this example, the public interface MTU is the MTU of the interface marked "2".

  • Path MTU

    The path MTU is the minimum MTU of all network device interfaces that support Internet access. The path MTU limits the size of encrypted packets.

    You can consult Internet service providers (ISPs) about the path MTU. By default, the path MTU of Ethernet is 1,500 bytes.

    In this example, the path MTU is the minimum MTU of the interfaces marked "3".

To ensure that packets can be transmitted as expected, you must configure the user MTU and public interface MTU in the data center. Make sure that the MTUs meet the following condition:

Maximum user MTU = Min {Public interface MTU, path MTU} - 101.    #101 indicates the maximum bytes of a packet encrypted by IPsec.
Important

If your VPN gateway was created before April 1, 2021, and the user MTU configured in the data center is larger than 1,300 bytes, IPsec-VPN connections may fail. In this case, we recommend that you update your VPN gateway to the latest version. For more information, see Upgrade a VPN gateway.

Example

MTU配置示例

The preceding figure provides an example in which the path MTU is 1,500 bytes and the public interface MTU of the on-premises gateway device is set to 1,500 bytes. You can calculate the maximum user MTU by using the following formula:

Maximum user MTU = min {1,500,1,500} - 101 = 1,500 - 101 = 1,399 bytes

In this case, we recommend that you send packets that do not exceed 1,399 bytes in size from the client. Otherwise, the packets may fail to be transmitted.

MSS configuration

If TCP traffic is transmitted over an IPsec-VPN connection and you do not want packets to be transmitted in segments, make sure that the maximum segment size (MSS) and user MTU meet the following condition:

MSS = User MTU - IP packet header size - TCP packet header size

For example, if the public interface MTU and path MTU are both 1,500 bytes, the maximum user MTU is 1,399 bytes, and the sizes of IP packet header and TCP packet header are both 20 bytes. To ensure that packets are not segmented, the MSS cannot exceed 1,359 bytes.