[strongSwan] [strongswan] - Fragmentation in ikev2

Sriram sriram.ec at gmail.com
Wed Aug 6 08:14:27 CEST 2014


I have installed strongswan-5.2.0 on both the linux peers.
I m trying to establish the tunnel using certificates.
Since I have 2 levels of certificate Authorities( SubCA and RootCA)
IKE_AUTH message containing cert payloads is exceeding mtu(1500)..

IKE_AUTH is getting fragmented after encryption at layer 3. This situation
is ok, as the other end which is also a linux box is able to reassemble and
But the large IKE_AUTH getting fragmented at ip level is not desirable
because of some firewall rules.

So I want to enable fragmentation feature, where multiple IKE_AUTHs are
For that reason I added  "fragmentation=yes" in ipsec.conf on both the
but it is not taken into effect.
Let me know if I need to do something other than adding fragmentation=yes
in ipsec.conf, even I tried with fragmentation=force, but that didnt help

Any help in this regard is appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140806/7e9a3977/attachment.html>

More information about the Users mailing list