The Maximum Transmission Unit (MTU) is the size, in bytes, of the largest packet supported by a network layer protocol, including both headers and data.
Network packets sent over a VPN tunnel are encrypted then encapsulated in an outer packet so they can be routed. Cloud VPN tunnels use IPsec and ESP for encryption and encapsulation. Because the encapsulated inner packet must itself fit within the MTU of the outer packet, its MTU must be smaller.
Encapsulation and fragmentation
Cloud VPN uses prefragmentation. You must enable prefragmentation on
your VPN gateway so that packets it sends are fragemented before they are
encrypted and encapsulated. Packets sent from your
peer systems must have the
DF bit turned off.
Gateway MTU vs. system MTU
You must configure your peer VPN gateway to use a MTU of no greater than 1460 bytes. A value of 1460 bytes is recommended because that matches the default MTU setting for Google Cloud VM instances.
The effective MTU for peer systems and Google Cloud VMs is typically lower than the MTU of your VPN gateway:
For TCP traffic, MSS clamping rewrites the SYN packet of the initial TCP handshake. This allows systems to dynamically adjust Maximum Segment Size (MSS) to accommodate encapsulation.
For UDP traffic, Path MTU Discovery (PMTUD) can negotiate smaller MTU sizes, under certain circumstances, provided that your firewall permits ICMP traffic.
MSS clamping and PMTUD do not solve every cause of packet loss. Consider these strategies to ensure that systems can reliably communicate over a Cloud VPN tunnel:
If the MTU of your on-premise VPN gateway is set to 1460 bytes, consider setting the MTU of on-premise and Google Cloud VMs to 1390 bytes if:
- MSS clamping doesn't mitigate packet loss for TCP traffic.
- You are sending UDP traffic and PMTUD is not possible. For example, not all UDP applications can take advantage of PMTUD.
If you configured the MTU of your peer VPN gateway to a value less than 1460 bytes, you must determine an acceptable MTU for peer systems and Google Cloud VMs. This MTU must be approximately 70 bytes lower than the MTU of your gateway.
More VPN concepts
For additional information on Cloud VPN concepts, use the navigation arrows at the bottom of the page to move to the next concept or use the following links:
- Learn about the basic concepts of Cloud VPN
- Choose VPN over other hybrid connectivity solutions
- Choose a VPC network type and routing option
- Redundant and higher-throughput VPNs
- Create a custom Virtual Private Cloud network
- Maintain VPN tunnels and gateways
- See Advanced Configurations for information on high-availability, high-throughput scenarios, or multiple subnet scenarios.
- View logs and monitoring metrics
- Get troubleshooting help