[strongSwan] charon.fragment parameter
tobias at strongswan.org
Wed Mar 23 16:22:11 CET 2016
> As it claimed at documentation  charon.fragment_size is Maximum
> size (complete IP datagram size in bytes) of a sent IKE fragment.
> Q1: Does this size include NAT-T payload (I suppose it is 8 bytes,
> isn't it?) and the IP header itself (up to 60 bytes)?
> According rfc  minimal size of IP datagram that all hosts must be
> prepared to accept if 576 bytes.
> Q2: Would the setting of charon.fragment_size = 576 (and
> fragmentation=yes at ipsec.conf) theoretically 'guarantee' that IKEv2
> will work with any ISP even with path MTU discovery problems and
> firewalls which drops fragmented packets? (I mean 'guarantee' at the
> majority of situations, except insane ISP).
Yes, probably (576 is actually the default value for fragment_size for
IPv4, 1280 is used for IPv6).
More information about the Users