MTU Considerations

The Maximum Transmission Unit (MTU) is the size, in bytes, of the largest packet supported by a network layer protocol (such as TCP), including both headers and data.

Network packets sent over a VPN tunnel are encrypted then encapsulated in an outer packet so they can be routed. Cloud VPN tunnels use IPSec and ESP for encryption and encapsulation. Because the encapsulated inner packet must itself fit within the MTU of the outer packet, its MTU must be smaller.

Encapsulation and fragmentation

Cloud VPN uses prefragmentation. You must enable prefragmentation on your VPN gateway so that packets it sends are fragemented before they are encrypted and encapsulated. Packets sent from your on-premises systems must have the DF bit turned off.

Gateway MTU vs. system MTU

You must configure your on-premises VPN gateway to use a MTU of no greater than 1460 bytes. A value of 1460 bytes is recommended because that matches the default MTU setting for GCP VM instances.

The effective MTU for on-premises systems and GCP VMs is typically lower than the MTU of your VPN gateway:

  • For TCP traffic, MSS clamping rewrites the SYN packet of the initial TCP handshake. This allows systems to dynamically adjust Maximum Segment Size (MSS) to accommodate encapsulation.

  • For UDP traffic, Path MTU Discovery (PMTUD) can negotiate smaller MTU sizes, under certain circumstances, provided that your firewall permits ICMP traffic.

Performance considerations

MSS clamping and PMTUD do not solve every cause of packet loss. Consider these strategies to ensure that systems can reliably communicate over a Cloud VPN tunnel:

  • If the MTU of your on-premise VPN gateway is set to 1460 bytes, consider setting the MTU of on-premise and GCP VMs to 1390 bytes if:

    • MSS clamping doesn't mitigate packet loss for TCP traffic.
    • You are sending UDP traffic and PMTUD is not possible. For example, not all UDP applications can take advantage of PMTUD.
  • If you configured the MTU of your on-premises VPN gateway to a value less than 1460 bytes, you will need to determine an acceptable MTU for on-premises systems and GCP VMs. This MTU will need to be approximately 70 bytes lower than the MTU of your gateway.

What's next

More VPN concepts For additional information on Cloud VPN concepts, use the navigation arrows at the bottom of the page to move to the next concept or use the following links:

VPN related

Was this page helpful? Let us know how we did:

Send feedback about...