[strongSwan] [strongswan] - Fragmentation in ikev2
noel at familie-kuntze.de
Wed Aug 6 08:55:03 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
As mentioned in the man page, fragmentation isn't supported for IKEv2 yet.
Support will be added in the next version of strongSwan.
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 06.08.2014 um 08:14 schrieb Sriram:
> I have installed strongswan-5.2.0 on both the linux peers.
> I m trying to establish the tunnel using certificates.
> Since I have 2 levels of certificate Authorities( SubCA and RootCA)
> IKE_AUTH message containing cert payloads is exceeding mtu(1500)..
> IKE_AUTH is getting fragmented after encryption at layer 3. This situation is ok, as the other end which is also a linux box is able to reassemble and decrypt..
> But the large IKE_AUTH getting fragmented at ip level is not desirable because of some firewall rules.
> So I want to enable fragmentation feature, where multiple IKE_AUTHs are sent.
> For that reason I added "fragmentation=yes" in ipsec.conf on both the peers.
> but it is not taken into effect.
> Let me know if I need to do something other than adding fragmentation=yes in ipsec.conf, even I tried with fragmentation=force, but that didnt help too..
> Any help in this regard is appreciated.
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Users