[strongSwan] NON_FIRST_FRAGMENTS_ALSO?

Martin Willi martin at strongswan.org
Tue Apr 22 10:37:47 CEST 2014


Hi Mark,

> Is there a way to include a NON_FIRST_FRAGMENTS_ALSO Notify payload in an
> IKE_AUTH?  I don't see an ipsec.conf  config setting, I don't see a
> strongswan.conf setting, in the code I see NON_FIRST_FRAGMENTS_ALSO in an
> enum construct but don't see it being set at all?

Currently there is no option to set NON_FIRST_FRAGMENTS_ALSO, and we
just don't send it.

It certainly would make sense to send this notify on kernel backends
supporting/doing it, so we probably should have a kernel backend
capability flag instead of a manual ipsec.conf option.

I haven't tested in detail which of our backends actually can handle
fragments on SAs with specific protocol/port selectors. And for those
supporting it, we would need an option to disable sending such fragments
if the peer can't handle it, which is probably even more difficult.

Regards
Martin



More information about the Users mailing list