Discussion:
[strongSwan-dev] FW: query regarding charon.fragment_size !
Pavan Gururaj Katti
2016-07-06 21:40:10 UTC
Permalink
Hi strong swan guys,

We are using strong swan in order to do inter op testing @ juniper w.r.t RFC 7383.

We had few queries regarding RFC7383
1. Why isnt charon.fragment_size enabled by default in code i.e. IKE FRAG Enabled by default ?
What is the rationale behind it to enable specifically in strong swan.conf
2. What are the frag size supported in case of IPv4 and IPv6 ? Or implementation is same in the code.

Thanks,
Pavan
Tobias Brunner
2016-07-07 07:59:55 UTC
Permalink
Hi Pavan,
1. Why isnt *charon.fragment_size* enabled by default in code i.e. IKE
FRAG Enabled by default ?
What is the rationale behind it to enable specifically in strong swan.conf
As documented on [1] or in the man page, you don't have to set that
value in strongswan.conf. If it is not specified address family
specific default values apply (1280 for IPv6 and 576 for IPv4).
But IKE fragmentation has to be enabled explicitly with
fragmentation=yes in ipsec.conf or swanctl.conf.
2. What are the frag size supported in case of IPv4 and IPv6 ? Or
implementation is same in the code.
As documented, whatever you set in charon.fragment_size is used for both
address families.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
Loading...