MTU considerations

The Maximum Transmission Unit (MTU) is the size, in bytes, of the largest packet supported by a network layer protocol, including both headers and data.

Network packets sent over a VPN tunnel are encrypted then encapsulated in an outer packet so they can be routed. Cloud VPN tunnels use IPsec and ESP for encryption and encapsulation. Because the encapsulated inner packet must itself fit within the MTU of the outer packet, its MTU must be smaller.

Encapsulation and fragmentation

Cloud VPN uses prefragmentation. You must enable prefragmentation on your VPN gateway so that packets it sends are fragemented before they are encrypted and encapsulated. Packets sent from your peer systems must have the DF bit turned off.

Gateway MTU vs. system MTU

You must configure your peer VPN gateway to use a MTU of no greater than 1460 bytes. A value of 1460 bytes is recommended because that matches the default MTU setting for Google Cloud VM instances.

The effective MTU for peer systems and Google Cloud VMs is typically lower than the MTU of your VPN gateway:

  • For TCP traffic, MSS clamping rewrites the SYN packet of the initial TCP handshake. This allows systems to dynamically adjust Maximum Segment Size (MSS) to accommodate encapsulation.

  • For UDP traffic, Path MTU Discovery (PMTUD) can negotiate smaller MTU sizes, under certain circumstances, provided that your firewall permits ICMP traffic.

Performance considerations

MSS clamping and PMTUD do not solve every cause of packet loss. Consider these strategies to ensure that systems can reliably communicate over a Cloud VPN tunnel:

  • If the MTU of your on-premise VPN gateway is set to 1460 bytes, consider setting the MTU of on-premise and Google Cloud VMs to 1390 bytes if:

    • MSS clamping doesn't mitigate packet loss for TCP traffic.
    • You are sending UDP traffic and PMTUD is not possible. For example, not all UDP applications can take advantage of PMTUD.
  • If you configured the MTU of your peer VPN gateway to a value less than 1460 bytes, you must determine an acceptable MTU for peer systems and Google Cloud VMs. This MTU must be approximately 70 bytes lower than the MTU of your gateway.

What's next

More VPN concepts

For additional information on Cloud VPN concepts, use the navigation arrows at the bottom of the page to move to the next concept or use the following links:

VPN related