[strongSwan] charon.fragment parameter
Ruslan Kalakutsky
r.kalakutsky at gmail.com
Wed Mar 23 02:43:15 CET 2016
Hello,
I've faced up with some issues with ISP who block ICMP 'fragmentation
needed' messages, as well as drops fragmented UDP packets. It affects
AUTH messages of used IKEv2 protocol.
As it claimed at documentation [1] charon.fragment_size is Maximum
size (complete IP datagram size in bytes) of a sent IKE fragment.
Q1: Does this size include NAT-T payload (I suppose it is 8 bytes,
isn't it?) and the IP header itself (up to 60 bytes)?
According rfc [2] minimal size of IP datagram that all hosts must be
prepared to accept if 576 bytes.
Q2: Would the setting of charon.fragment_size = 576 (and
fragmentation=yes at ipsec.conf) theoretically 'guarantee' that IKEv2
will work with any ISP even with path MTU discovery problems and
firewalls which drops fragmented packets? (I mean 'guarantee' at the
majority of situations, except insane ISP).
[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
[2] http://tools.ietf.org/html/rfc791
Thanks in advance!
Regards,
Ruslan Kalakutsky
More information about the Users
mailing list