[strongSwan] Question about IKE frag

Emeric POUPON emeric.poupon at stormshield.eu
Thu Apr 27 15:56:45 CEST 2017

Hello, about the "fragmentation" option, we have this:

fragmentation = yes | force | no

whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383).
Fragmented messages sent by a peer are always accepted irrespective of the value of this option.
If set to yes (the default since 5.5.1) and the peer supports it, larger IKE messages will be sent in fragments (the
maximum fragment size can be configured in strongswan.conf).

We noticed that for a tunnel between A and B:
- if A sets the option to "yes" and B sets the option to "no", A does not fragment messages.
- if A and B set the option to "yes", A does fragment messages respecting the fragmentation_size parameter

Do you confirm this behavior?
We would expect A to fragment messages since B can accept them anyway?


More information about the Users mailing list