Hi,
We are using strongswan - 5.3.0. To make use of the ikev2 fragmentation
feature that is available since 5.2.1, we enabled fragmentation=yes in
ipsec.conf and fragment_size = 1200. The device mtu is 1500.
Feature gets enabled as the security gateway also supports
IKEV2_FRAGMENTATION_SUPPORTED p
Hi Sriram,
> But the concern is fragment size, though it is set as 1200,
> fragment_size of 576 is seen in the wireshark.
I'm assuming for packets sent by the gateway. The fragment size is not
negotiated, so the gateway might just default to the minimum datagram
size a host must be able to accep
Hi Tobias,
Thanks for the reply.
I have set fragment_size = 1200 in strongswan.conf and fragmentation=yes in
the ipsec.conf in the client side . Even though it is 1200, ike packets
that are sent from the client are of the size 576. I have not changed the
configuration file, as the generation of t
Hi Sriram,
> So I think, since the strongswan file is not proper, charon would have
> defaulted to 576. Please clarify.
Yes, if the file is invalid it gets rejected completely and no options
in it will get applied. You should have seen an error message like
"invalid config file '...'" in the log
Hi Tobias.
Yes you are right, strongswan complains about this. Since logs got rolled
over and there is no console access, I could not catch this issue soon.
Thanks for the help.
Regards,
Sriram.
On Fri, Jul 29, 2016 at 6:32 PM, Tobias Brunner
wrote:
> Hi Sriram,
>
> > So I think, since the st
