|
For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.
FortiOS will fragment a packet on sending if only all the following are true:
- Phase 1 contains set fragmentation enable.
- The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6).
- The packet is being re-transmitted.
By default, IKE fragmentation is enabled.
To configure IKEv1 fragmentation:
config vpn ipsec phase1-interface
edit 1
set fragmentation [enable | disable]
next
end
IKEv2 fragmentation.
IKEv2 fragmentation is not part of the main IKEv2 spec. It is defined in RFC 7383.
Both IKEv2 peers must notify support for RFC 7383 with IKEV2_FRAGMENTATION_SUPPORTED to use IKEv2 frag.
RFC 7383 requires each fragment to be individually encrypted and authenticated. With IKEv2, a copy of the unencrypted payloads around for each outgoing packet would need to be kept in case the original single packet was never answered and would retry with fragments.
With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.
To configure IKEv2 fragmentation:
config vpn ipsec phase1-interface
edit ike
set ike-version 2
set fragmentation [enable|disable]
set fragmentation-mtu <500-16000>
next
end
Unlike IKEv1, fragments are sent on the first attempt if the IKE payload size is greater than the fragmentation MTU.
Only some IKEv2 packets are considered fragmentable: AUTH, CREATE_CHILD_SA, and some INFORMATIONAL
Maximum number of IKEv2 fragments = 64 (for re-assembly).
Re-assembly timeout = 15 sec (same as IKEv1).
|
