[strongSwan] charon.fragment parameter
Tobias Brunner
tobias at strongswan.org
Wed Mar 23 16:22:11 CET 2016
Hi Ruslan,
> As it claimed at documentation [1] charon.fragment_size is Maximum
> size (complete IP datagram size in bytes) of a sent IKE fragment.
> Q1: Does this size include NAT-T payload (I suppose it is 8 bytes,
> isn't it?) and the IP header itself (up to 60 bytes)?
Yes.
> According rfc [2] minimal size of IP datagram that all hosts must be
> prepared to accept if 576 bytes.
> Q2: Would the setting of charon.fragment_size = 576 (and
> fragmentation=yes at ipsec.conf) theoretically 'guarantee' that IKEv2
> will work with any ISP even with path MTU discovery problems and
> firewalls which drops fragmented packets? (I mean 'guarantee' at the
> majority of situations, except insane ISP).
Yes, probably (576 is actually the default value for fragment_size for
IPv4, 1280 is used for IPv6).
Regards,
Tobias
More information about the Users
mailing list