[strongSwan] StrongSwan support for IPsec pre-fragmentation

Noel Kuntze noel at familie-kuntze.de
Sat Mar 7 15:53:16 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Harry,

As IPsec processing is done by the kernel using policies and the routing is configured using the routing table,
you need to set the MTU on the routes to your endpoints. As strongSwan manages its own routing table, you
need to make strongSwan set the MTU by itself.
You can make it do that by setting charon.plugins.kernel-netlink.mtu in strongswan.conf to the MTU you want.
That option is available since version 5.2.2.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 07.03.2015 um 02:42 schrieb Harry Chan-Maestas:
> Hi,
>
> I am a new StrongSwan user, having switched recently from racoon, and I have a question about IPsec packet fragmentation.
>
> In racoon, there is a configuration option "esp_frag". When enabled, racoon will set IPsec to fragment jumbo frames before ESP is applied. I have been look through StrongSwan's Wiki, but have not found any configuration options which would achieve that effect.
>
> Would anyone have some suggestions on alternative methods I can take?
>
> Any help would be appreciated.
>
> Thank you,
>
> Harry
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU+xDbAAoJEDg5KY9j7GZY+e4P+QFNuf6AfB+Byio43SKDXIkN
nVSDmO9s5KO3jiPNNVL3XrSgCI+IKveL4SXe87cy3anoVfVwIEYSPhctPFkk3tDZ
BEY+ztGqgJXK8JM9jjeuSQrkj2OzNrLgbbEvojiJMcI8MpfYRx6i/IgJHjECyOm0
fsAouwTfK3PcPv9LT9g1bQX1VP3CmdTzG+NQ68cxkG96p+zWajaG/vasHS49uqeA
6QyJBZXFXmD0fTGrkCE8B3HQTBuZvbA37allNk83wi5VdJ/MIIsxC1Ql86cDhRUs
52TnYRWnVzSQZWLw999HS1FyoPpVC60ikUkD5FMQCqtaegT2qvmTvgsyL+DZVga6
Jsc4UV4A3zmVuuETl4ufE7gE+HegA7Y/qcLXpqCW8GVs125wI+hu2VKG9kVipQSi
hDhBws9waKvxKIL7hy2bhELIlU3r3QPUesFRP1Xu/Vq1Nu/j1t1LkQX30e6e1qQ5
5r90YUHOsOuUlYJS8NhVBlp3r23TwR+u1xivo3K9XmYPXb6Vi4Th0UHPwKkbrEyV
TNyt6h/qYol/spr/mAYnZ7zGwNjUzZRDMoiN/OpJt7iHH8X0reoDiwgIf+9wA1Sx
J5MK9I854j8fHrKsAKbuypQzCk3EFVg1UtayOwgZIh/XU0aAEDc4Ov2b7j3ugx/g
hGWpeY1h/l+C0Qtp3S3g
=/HB+
-----END PGP SIGNATURE-----




More information about the Users mailing list