Perform this procedure to fragment packets larger than the IPsec tunnel maximum transmission unit (MTU) before the packets are sent for encryption.
Ensure IPsec is disabled on the tunnel. The administrative state must be disabled before you can enable or disable fragmentation before encryption.
Configure the IPsec destination IP address or enable responder mode.
By default, fragmentation before encryption is disabled.
enable
virtual-service WORD<1-128> console
Note
Type CTRL+Y to exit the console.
set ipsec <1-255> fragment-before-encrypt enable