diff options
author | Tobias Brunner <tobias@strongswan.org> | 2016-07-18 15:25:45 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2016-10-04 10:08:21 +0200 |
commit | af662a5170d919aedc4144a0462debd9155a800d (patch) | |
tree | 9bc09832ccfea31a8ca86cd0a96dde81573a8720 | |
parent | 0642f42bbeda7686f7e5691ced527a644996b330 (diff) | |
download | strongswan-af662a5170d919aedc4144a0462debd9155a800d.tar.bz2 strongswan-af662a5170d919aedc4144a0462debd9155a800d.tar.xz |
starter: Enable IKE fragmentation by default
-rw-r--r-- | man/ipsec.conf.5.in | 9 | ||||
-rw-r--r-- | src/starter/confread.c | 1 |
2 files changed, 6 insertions, 4 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 6d99e13f9..6f80709a6 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -445,14 +445,15 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked. .TP -.BR fragmentation " = yes | force | " no +.BR fragmentation " = " yes " | force | no" whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383). Acceptable values are -.BR yes , +.B yes +(the default), .B force and -.B no -(the default). Fragmented IKE messages sent by a peer are always accepted +.BR no . +Fragmented IKE messages sent by a peer are always accepted irrespective of the value of this option. If set to .BR yes , and the peer supports it, larger IKE messages will be sent in fragments. diff --git a/src/starter/confread.c b/src/starter/confread.c index 33924b065..3fb750e51 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -222,6 +222,7 @@ static void conn_defaults(starter_conn_t *conn) conn->dpd_delay = 30; /* seconds */ conn->dpd_timeout = 150; /* seconds */ conn->replay_window = SA_REPLAY_WINDOW_DEFAULT; + conn->fragmentation = FRAGMENTATION_YES; conn->left.sendcert = CERT_SEND_IF_ASKED; conn->right.sendcert = CERT_SEND_IF_ASKED; |