[strongSwan] Fwd: StrongSwan support for IPsec pre-fragmentation

Harry Chan-Maestas harry.chan.maestas at gmail.com
Tue Apr 14 17:35:09 CEST 2015


Sriram,

Thanks for the reminder; I forgot to update this thread.

I got the same result as you when I tried this. I have not found any other
work around using StrongSwan, so I modified my app to be MTU aware and
adjust in real time.

Harry
On Apr 13, 2015 10:31 PM, "Sriram" <sriram.ec at gmail.com> wrote:

> Hi Harry,
>
> This is Sriram. When I happen to check strongswan mailing list, I found
> the mail chain below and found it relevant to what I was looking for.
>
> I set that kernel-netlink.mtu to 1200 and found that any packet exceeding
> 1200 packet size got fragmented but only after encryption.
> Is there any option available to achieve prefragmentation i.e
> fragmentation before encryption, if not is there any workaround ?
>
>
> Regards,
> Sriram.
>
>
>
> ---------- Forwarded message ----------
> From: Harry Chan-Maestas <harry.chan.maestas at gmail.com>
> Date: Sun, Mar 8, 2015 at 5:57 AM
> Subject: Re: [strongSwan] StrongSwan support for IPsec pre-fragmentation
> To: users at lists.strongswan.org
>
>
> Hi Noel,
>
> Thank you very much for the hint. I will give it a try.
>
> Harry
>
> On Sat, Mar 7, 2015 at 6:53 AM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Harry,
>>
>> As IPsec processing is done by the kernel using policies and the routing
>> is configured using the routing table,
>> you need to set the MTU on the routes to your endpoints. As strongSwan
>> manages its own routing table, you
>> need to make strongSwan set the MTU by itself.
>> You can make it do that by setting charon.plugins.kernel-netlink.mtu in
>> strongswan.conf to the MTU you want.
>> That option is available since version 5.2.2.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 07.03.2015 um 02:42 schrieb Harry Chan-Maestas:
>> > Hi,
>> >
>> > I am a new StrongSwan user, having switched recently from racoon, and I
>> have a question about IPsec packet fragmentation.
>> >
>> > In racoon, there is a configuration option "esp_frag". When enabled,
>> racoon will set IPsec to fragment jumbo frames before ESP is applied. I
>> have been look through StrongSwan's Wiki, but have not found any
>> configuration options which would achieve that effect.
>> >
>> > Would anyone have some suggestions on alternative methods I can take?
>> >
>> > Any help would be appreciated.
>> >
>> > Thank you,
>> >
>> > Harry
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJU+xDbAAoJEDg5KY9j7GZY+e4P+QFNuf6AfB+Byio43SKDXIkN
>> nVSDmO9s5KO3jiPNNVL3XrSgCI+IKveL4SXe87cy3anoVfVwIEYSPhctPFkk3tDZ
>> BEY+ztGqgJXK8JM9jjeuSQrkj2OzNrLgbbEvojiJMcI8MpfYRx6i/IgJHjECyOm0
>> fsAouwTfK3PcPv9LT9g1bQX1VP3CmdTzG+NQ68cxkG96p+zWajaG/vasHS49uqeA
>> 6QyJBZXFXmD0fTGrkCE8B3HQTBuZvbA37allNk83wi5VdJ/MIIsxC1Ql86cDhRUs
>> 52TnYRWnVzSQZWLw999HS1FyoPpVC60ikUkD5FMQCqtaegT2qvmTvgsyL+DZVga6
>> Jsc4UV4A3zmVuuETl4ufE7gE+HegA7Y/qcLXpqCW8GVs125wI+hu2VKG9kVipQSi
>> hDhBws9waKvxKIL7hy2bhELIlU3r3QPUesFRP1Xu/Vq1Nu/j1t1LkQX30e6e1qQ5
>> 5r90YUHOsOuUlYJS8NhVBlp3r23TwR+u1xivo3K9XmYPXb6Vi4Th0UHPwKkbrEyV
>> TNyt6h/qYol/spr/mAYnZ7zGwNjUzZRDMoiN/OpJt7iHH8X0reoDiwgIf+9wA1Sx
>> J5MK9I854j8fHrKsAKbuypQzCk3EFVg1UtayOwgZIh/XU0aAEDc4Ov2b7j3ugx/g
>> hGWpeY1h/l+C0Qtp3S3g
>> =/HB+
>> -----END PGP SIGNATURE-----
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150414/9b40ae9e/attachment.html>


More information about the Users mailing list