[strongSwan] charon.fragment parameter

Tobias Brunner tobias at strongswan.org
Wed Mar 23 16:22:11 CET 2016

Hi Ruslan,

> As it claimed at documentation [1] charon.fragment_size is Maximum
> size (complete IP datagram size in bytes) of a sent IKE fragment.
> Q1: Does this size include NAT-T payload (I suppose it is 8 bytes,
> isn't it?) and the IP header itself (up to 60 bytes)?


> According rfc [2] minimal size of IP datagram that all hosts must be
> prepared to accept if 576 bytes.
> Q2: Would the setting of charon.fragment_size = 576 (and
> fragmentation=yes at ipsec.conf) theoretically  'guarantee' that IKEv2
> will work with any ISP even with path MTU discovery problems and
> firewalls which drops fragmented packets? (I mean 'guarantee' at the
> majority of situations, except insane ISP).

Yes, probably (576 is actually the default value for fragment_size for
IPv4, 1280 is used for IPv6).


More information about the Users mailing list