[strongSwan] charon.fragment parameter

Ruslan Kalakutsky r.kalakutsky at gmail.com
Wed Mar 23 02:43:15 CET 2016


I've faced up with some issues with ISP who block ICMP 'fragmentation
needed' messages, as well as drops fragmented UDP packets. It affects
AUTH messages of used IKEv2 protocol.

As it claimed at documentation [1] charon.fragment_size is Maximum
size (complete IP datagram size in bytes) of a sent IKE fragment.
Q1: Does this size include NAT-T payload (I suppose it is 8 bytes,
isn't it?) and the IP header itself (up to 60 bytes)?

According rfc [2] minimal size of IP datagram that all hosts must be
prepared to accept if 576 bytes.
Q2: Would the setting of charon.fragment_size = 576 (and
fragmentation=yes at ipsec.conf) theoretically  'guarantee' that IKEv2
will work with any ISP even with path MTU discovery problems and
firewalls which drops fragmented packets? (I mean 'guarantee' at the
majority of situations, except insane ISP).

[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
[2] http://tools.ietf.org/html/rfc791

Thanks in advance!

Ruslan Kalakutsky

More information about the Users mailing list