When a packet is nearly the size of the MTU of the outbound link of the encrypting router and it is encapsulated with IPsec
headers, it is likely to exceed the MTU of the outbound link. This causes packet fragmentation after encryption. The decrypting
router must then reassemble these packets in the process path, which decreases the decrypting router’s performance.
The Pre-fragmentation for IPsec VPNs feature increases the decrypting router’s performance by enabling it to operate in the
high-performance CEF path instead of the process path. An encrypting router can predetermine the encapsulated packet size
from information available in transform sets, which are configured as part of the IPsec security association (SA). If it is
predetermined that the packet exceeds the MTU of the output interface, the packet is fragmented before encryption. This function
avoids process-level reassembly before decryption and helps improve decryption performance and overall IPsec traffic throughput.
The pre-fragmentation feature is turned off by default for tunnel interfaces. To receive pre-fragmentation performance benefits,
turn pre-fragmentation on after ensuring that the tunnel interfaces have the same MTU on both ends.
Crypto maps are no longer used to define fragmentation behavior that occurred before and after encryption. Now, IPsec Virtual
Tunnel Interface (also referred to as Virtual-Template interface) (VTI) fragmentation behavior is determined by the IP MTU
settings that are configured on the VTI.
See the IPsec Virtual Tunnel Interface feature document for more information on VTIs.
If fragmentation after-encryption behavior is desired, then set the VTI IP MTU to a value that is greater than the egress
router interface IP MTU. Use the
tunnel command to display the IP MTU value.