[strongSwan] [strongswan] - Fragmentation in ikev2

Noel Kuntze noel at familie-kuntze.de
Wed Aug 6 08:55:03 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Sriram,

As mentioned in the man page, fragmentation isn't supported for IKEv2 yet. 
Support will be added in the next version of strongSwan.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 06.08.2014 um 08:14 schrieb Sriram:
> Hello,
> 
> I have installed strongswan-5.2.0 on both the linux peers.
> I m trying to establish the tunnel using certificates.
> Since I have 2 levels of certificate Authorities( SubCA and RootCA)
> IKE_AUTH message containing cert payloads is exceeding mtu(1500)..
> 
> IKE_AUTH is getting fragmented after encryption at layer 3. This situation is ok, as the other end which is also a linux box is able to reassemble and decrypt..
> But the large IKE_AUTH getting fragmented at ip level is not desirable because of some firewall rules.
> 
> So I want to enable fragmentation feature, where multiple IKE_AUTHs are sent.
> For that reason I added  "fragmentation=yes" in ipsec.conf on both the peers.
> but it is not taken into effect.
> Let me know if I need to do something other than adding fragmentation=yes in ipsec.conf, even I tried with fragmentation=force, but that didnt help too..
> 
> Any help in this regard is appreciated.
> 
> Regards,
> Sriram.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJT4dFHAAoJEDg5KY9j7GZYDs8P/24iWWFiqd/WdLCOVpmQEX8l
aUu3X5erOs60GtV/NVUW3pQqufWoCWXkdPrWgNwjaGPYbv5eDTDIY1muDs+YDI1f
VCqyYDE5M/OvHF9ec7Di+R5cgairTf7iG2zXcKS+6Qtgcqhv2sp9E88xCR/PZ95r
CQ6QnO3NXulrJQv9fVkAdFfgAL+FDnYpr2YLN9ltY7PbqlFO4413uQcftru7+zyD
oBPFRZm612IWvoQ+j7vL+221j7p56pqUpUeAEvmksDW5aL23WulrjL9e268T9scF
msR1TD+/7w4ZPf2eWe56zUnEqnyUfHow8wEhyGACA5UkZQGOFSBM5xwPASnfkxWm
e9vbRdpKGG8xYjxJf2Km2Dc2Zk8+OXvIXKN0+EzgeJn8zU3zPirGTcLSfAP/+Mtr
7sTR2yPkvp/cCyKMXop0CXXIu/lmGvHQWEza+C78C26B07/E7osxHmpGTVqYTV9y
M1P51MOaNwiqyu6Vi1mwQzC0SioPqY4HwDHML5tiyDjX+To8u7zlgDcSCcd76kT7
iStpHCRmb08h9bi5OX1S063PkTNI01pZiMwAgw3D/hqB48y8WKw3K9fciLcpW3nN
6ccX7io4ZmcumouivLBKWnTUqYIQyuZUAW/jrso5RU5R51LQ9M06VVRmpGKw5lWv
Mg3D7yQ0r1vBrWJxSGUa
=O4DK
-----END PGP SIGNATURE-----


More information about the Users mailing list