FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nnair
Staff
Staff
Article Id 201960
Description

This article describes that UDP fragmentation can cause issues in IPsec when either the ISP or perimeter firewall(s) cannot pass or fragment the oversized UDP packets that occur when using a very large public security key (PSK).

 

The result is that IPsec tunnels do not come up.

Scope  
Solution

For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.

 

FortiOS will fragment a packet on sending if only all the following are true:

- Phase 1 contains set fragmentation enable.
- The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6).
- The packet is being re-transmitted.

 

By default, IKE fragmentation is enabled.

 

To configure IKEv1 fragmentation:

 

# config vpn ipsec phase1-interface
    edit 1
        set fragmentation [enable | disable]
    next
end

 

IKEv2 fragmentation.


RFC 7383 requires each fragment to be individually encrypted and authenticated. With IKEv2, a copy of the unencrypted payloads around for each outgoing packet would need to be kept in case the original single packet was never answered and would retry with fragments.

 

With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.

 

To configure IKEv2 fragmentation:

 

# config vpn ipsec phase1-interface
    edit ike
        set ike-version 2
        set fragmentation [enable|disable]
        set fragmentation-mtu <500-16000>
    next
end

Contributors