[strongSwan] Fwd: StrongSwan support for IPsec pre-fragmentation
harry.chan.maestas at gmail.com
Tue Apr 14 17:35:09 CEST 2015
Thanks for the reminder; I forgot to update this thread.
I got the same result as you when I tried this. I have not found any other
work around using StrongSwan, so I modified my app to be MTU aware and
adjust in real time.
On Apr 13, 2015 10:31 PM, "Sriram" <sriram.ec at gmail.com> wrote:
> Hi Harry,
> This is Sriram. When I happen to check strongswan mailing list, I found
> the mail chain below and found it relevant to what I was looking for.
> I set that kernel-netlink.mtu to 1200 and found that any packet exceeding
> 1200 packet size got fragmented but only after encryption.
> Is there any option available to achieve prefragmentation i.e
> fragmentation before encryption, if not is there any workaround ?
> ---------- Forwarded message ----------
> From: Harry Chan-Maestas <harry.chan.maestas at gmail.com>
> Date: Sun, Mar 8, 2015 at 5:57 AM
> Subject: Re: [strongSwan] StrongSwan support for IPsec pre-fragmentation
> To: users at lists.strongswan.org
> Hi Noel,
> Thank you very much for the hint. I will give it a try.
> On Sat, Mar 7, 2015 at 6:53 AM, Noel Kuntze <noel at familie-kuntze.de>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> Hello Harry,
>> As IPsec processing is done by the kernel using policies and the routing
>> is configured using the routing table,
>> you need to set the MTU on the routes to your endpoints. As strongSwan
>> manages its own routing table, you
>> need to make strongSwan set the MTU by itself.
>> You can make it do that by setting charon.plugins.kernel-netlink.mtu in
>> strongswan.conf to the MTU you want.
>> That option is available since version 5.2.2.
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 07.03.2015 um 02:42 schrieb Harry Chan-Maestas:
>> > Hi,
>> > I am a new StrongSwan user, having switched recently from racoon, and I
>> have a question about IPsec packet fragmentation.
>> > In racoon, there is a configuration option "esp_frag". When enabled,
>> racoon will set IPsec to fragment jumbo frames before ESP is applied. I
>> have been look through StrongSwan's Wiki, but have not found any
>> configuration options which would achieve that effect.
>> > Would anyone have some suggestions on alternative methods I can take?
>> > Any help would be appreciated.
>> > Thank you,
>> > Harry
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> -----END PGP SIGNATURE-----
>> Users mailing list
>> Users at lists.strongswan.org
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users