Fortinet – Fragmentation – DF – IPSec

1. System Settings
2. Fragmentation
3. Check Interface MTU
4. Links

System Settings

config global
    config system global
        set honor-df enable
    end
end

Fragmentation

The default ip-fragmentation setting is post-encapsulation as that is RFC compliant.

config vpn ipsec phase1-interface
    edit <name>
        set ip-fragmentation post-encapsulation
    next
end

Check Interface MTU

To check the MTU size of an interface, use ‘diag netlink interface list <name>’.

diag netlink interface list IPSec-VPN

if=IPSec-VPN family=00 type=768 index=28 mtu=1400 link=0 master=0
ref=13 state=start present fw_flags=0 flags=up p2p run noarp multicast

Links

• https://community.fortinet.com/t5/FortiGate/Technical-Tip-IP-Packet-fragmentation-over-IPSec-tunnel/ta-p/265295
• https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-the-honor-df-global-setting/ta-p/197002