From: Tobias Brunner Date: Mon, 18 Jul 2016 13:25:45 +0000 (+0200) Subject: starter: Enable IKE fragmentation by default X-Git-Tag: 5.5.1rc1~19^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af662a5170d919aedc4144a0462debd9155a800d;p=thirdparty%2Fstrongswan.git starter: Enable IKE fragmentation by default --- diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 6d99e13f98..6f80709a62 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -445,14 +445,15 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked. .TP -.BR fragmentation " = yes | force | " no +.BR fragmentation " = " yes " | force | no" whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383). Acceptable values are -.BR yes , +.B yes +(the default), .B force and -.B no -(the default). Fragmented IKE messages sent by a peer are always accepted +.BR no . +Fragmented IKE messages sent by a peer are always accepted irrespective of the value of this option. If set to .BR yes , and the peer supports it, larger IKE messages will be sent in fragments. diff --git a/src/starter/confread.c b/src/starter/confread.c index 33924b0656..3fb750e512 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -222,6 +222,7 @@ static void conn_defaults(starter_conn_t *conn) conn->dpd_delay = 30; /* seconds */ conn->dpd_timeout = 150; /* seconds */ conn->replay_window = SA_REPLAY_WINDOW_DEFAULT; + conn->fragmentation = FRAGMENTATION_YES; conn->left.sendcert = CERT_SEND_IF_ASKED; conn->right.sendcert = CERT_SEND_IF_ASKED;