VPN Gateway can transmit packets that are fragmented, but cannot reassemble the fragments of packets. When you use IPsec-VPN, the IPsec protocol encrypts packets, which increases the packet size. The increased packet size may exceed the maximum transmission unit (MTU) of a network and affect the transmission of packets. This topic describes how to set MTU values to ensure that packets can be transmitted as expected.

Principles

Considerations

This topic uses the preceding figure as an example to describe how to set MTU values. In this example, the data center is connected to a virtual private cloud (VPC) by using an IPsec-VPN connection. When the client accesses the VPC, packets are encrypted on the on-premises gateway device and transmitted to the Internet. The packets are transmitted to the VPN gateway through the network devices that support Internet access, which are Router 2 and Router 3.

During the transmission of packets from the client to the VPN gateway, the packet size is limited by the following types of MTU:
  • User MTU

    The user MTU is the minimum MTU of all network device interfaces between the client and the on-premises gateway device. The user MTU limits the size of packets that are sent by the client.

    In this example, the user MTU is the minimum MTU of the interfaces that are marked "1".

  • Public interface MTU

    The public interface MTU is the MTU of the public interface that is connected to the VPN gateway on the on-premises gateway device. The public interface MTU limits the size of encrypted packets.

    In this example, the public interface MTU is the MTU of the interface marked "2".

  • Path MTU

    The path MTU is the minimum MTU of all network device interfaces that support Internet access. The path MTU limits the size of encrypted packets.

    You can consult Internet service providers (ISPs) about the path MTU. By default, the path MTU of Ethernet is 1,500 bytes.

    In this example, the path MTU is the minimum MTU of the interfaces that are marked "3".

To ensure that packets can be transmitted as expected, you must configure the user MTU and the public interface MTU in the data center. Make sure that the MTU values meet the following condition:

Maximum user MTU = min {Public interface MTU, path MTU} - 101
Note 101 is the maximum number of bytes that the IPsec protocol occupies after a packet is encrypted.

Example

Example
As shown in the preceding figure, if the path MTU is 1,500 bytes and you set the public interface MTU of the on-premises gateway device to 1,500 bytes, you can calculate the maximum user MTU by using the following formula:
Maximum user MTU = min {1,500,1,500} - 101 = 1,500 - 101 = 1,399 bytes

In this case, we recommend that you send packets that do not exceed 1,399 bytes in size from the client. Otherwise, the packets may fail to be transmitted.

Set the MSS value

If TCP traffic is transmitted over an IPsec-VPN connection and you do not want packets to be transmitted in segments, make sure that the maximum segment size (MSS) and the user MTU meet the following condition:
MSS = User MTU - IP packet header size (20 bytes) - TCP packet header size (20 bytes)

For example, if the public interface MTU and the path MTU are both 1,500 bytes, the maximum user MTU is 1,399 bytes. To ensure that packets are not segmented, the MSS cannot exceed 1,359 bytes.