MTU considerations

The maximum transmission unit (MTU) is the size, in bytes, of the largest packet supported by a network layer protocol, including both headers and data.

Network packets sent over a VPN tunnel are encrypted and then encapsulated in an outer packet so that they can be routed. Cloud VPN tunnels use IPsec and ESP for encryption and encapsulation. Because the encapsulated inner packet must itself fit within the MTU of the outer packet, its MTU must be smaller.

Encapsulation and fragmentation

Cloud VPN uses prefragmentation. Enable prefragmentation on your VPN gateway so that packets that it sends are fragmented before they are encrypted and encapsulated. Packets sent from your peer systems must have the DF bit turned off.

Gateway MTU versus system MTU

Configure your peer VPN gateway to use an MTU of no greater than 1460 bytes. We recommend a value of 1460 bytes because that matches the default MTU setting for Google Cloud virtual machine (VM) instances.

The effective MTU for peer systems and Google Cloud VMs is typically lower than the MTU of your VPN gateway:

  • For TCP traffic, MSS clamping rewrites the SYN packet of the initial TCP handshake. This action lets systems dynamically adjust maximum segment size (MSS) to accommodate encapsulation.

  • For UDP traffic, if your firewall rule permits ICMP traffic, then Path MTU Discovery (PMTUD) can negotiate smaller MTU sizes under certain circumstances.

Performance considerations

MSS clamping and PMTUD do not solve every cause of packet loss. Consider these strategies to ensure that systems can reliably communicate over a Cloud VPN tunnel:

  • If the MTU of your on-premises VPN gateway is set to 1460 bytes, consider setting the MTU of on-premises and Google Cloud VMs to 1390 bytes if:

    • MSS clamping doesn't mitigate packet loss for TCP traffic.
    • You are sending UDP traffic, and PMTUD is not possible. For example, not all UDP applications can take advantage of PMTUD.
  • If you configured the MTU of your peer VPN gateway to a value less than 1460 bytes, you must determine an acceptable MTU for peer systems and Google Cloud VMs. This MTU must be approximately 70 bytes lower than the MTU of your gateway.

What's next