starter: Enable IKE fragmentation by default

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 6d99e13f98a3fc55a41e74bee2d11864940838fd..6f80709a62156422ce62d5c81ce42db9f796070e 100644 (file)
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -445,14 +445,15 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
-.BR fragmentation " = yes | force | " no
+.BR fragmentation " = " yes "  | force | no"
 whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2
 fragmentation as per RFC 7383).  Acceptable values are
-.BR yes ,
+.B yes
+(the default),
 .B force
 and
-.B no
-(the default). Fragmented IKE messages sent by a peer are always accepted
+.BR no .
+Fragmented IKE messages sent by a peer are always accepted
 irrespective of the value of this option. If set to
 .BR yes ,
 and the peer supports it, larger IKE messages will be sent in fragments.

diff --git a/src/starter/confread.c b/src/starter/confread.c
index 33924b065629f06c5996733fc128f6fd6eaaf1ea..3fb750e512bec774d2820583817ebcfa880c6592 100644 (file)
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -222,6 +222,7 @@ static void conn_defaults(starter_conn_t *conn)
        conn->dpd_delay             =  30; /* seconds */
        conn->dpd_timeout           = 150; /* seconds */
        conn->replay_window         = SA_REPLAY_WINDOW_DEFAULT;
+       conn->fragmentation         = FRAGMENTATION_YES;
 
        conn->left.sendcert = CERT_SEND_IF_ASKED;
        conn->right.sendcert = CERT_SEND_IF_ASKED;