|
For most configurations, enabling IKE fragmentation allows connections to automatically establish when they otherwise might have failed due to intermediate nodes dropping IKE messages containing large certificates, which typically push the packet size over 1500 bytes.
FortiOS will fragment a packet on sending if only all the following are true:
- Phase 1 contains set fragmentation enable.
- The packet is larger than the minimum MTU (576 for IPv4, 1280 for IPv6).
- The packet is being re-transmitted.
By default, IKE fragmentation is enabled.
To configure IKEv1 fragmentation:
# config vpn ipsec phase1-interface
edit 1
set fragmentation [enable | disable]
next
end
IKEv2 fragmentation.
RFC 7383 requires each fragment to be individually encrypted and authenticated. With IKEv2, a copy of the unencrypted payloads around for each outgoing packet would need to be kept in case the original single packet was never answered and would retry with fragments.
With the following implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.
To configure IKEv2 fragmentation:
# config vpn ipsec phase1-interface
edit ike
set ike-version 2
set fragmentation [enable|disable]
set fragmentation-mtu <500-16000>
next
end
|
