aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2016-07-18 15:25:45 +0200
committerTobias Brunner <tobias@strongswan.org>2016-10-04 10:08:21 +0200
commitaf662a5170d919aedc4144a0462debd9155a800d (patch)
tree9bc09832ccfea31a8ca86cd0a96dde81573a8720
parent0642f42bbeda7686f7e5691ced527a644996b330 (diff)
downloadstrongswan-af662a5170d919aedc4144a0462debd9155a800d.tar.bz2
strongswan-af662a5170d919aedc4144a0462debd9155a800d.tar.xz
starter: Enable IKE fragmentation by default
-rw-r--r--man/ipsec.conf.5.in9
-rw-r--r--src/starter/confread.c1
2 files changed, 6 insertions, 4 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 6d99e13f9..6f80709a6 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -445,14 +445,15 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
This may help to surmount restrictive firewalls. In order to force the peer to
encapsulate packets, NAT detection payloads are faked.
.TP
-.BR fragmentation " = yes | force | " no
+.BR fragmentation " = " yes " | force | no"
whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2
fragmentation as per RFC 7383). Acceptable values are
-.BR yes ,
+.B yes
+(the default),
.B force
and
-.B no
-(the default). Fragmented IKE messages sent by a peer are always accepted
+.BR no .
+Fragmented IKE messages sent by a peer are always accepted
irrespective of the value of this option. If set to
.BR yes ,
and the peer supports it, larger IKE messages will be sent in fragments.
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 33924b065..3fb750e51 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -222,6 +222,7 @@ static void conn_defaults(starter_conn_t *conn)
conn->dpd_delay = 30; /* seconds */
conn->dpd_timeout = 150; /* seconds */
conn->replay_window = SA_REPLAY_WINDOW_DEFAULT;
+ conn->fragmentation = FRAGMENTATION_YES;
conn->left.sendcert = CERT_SEND_IF_ASKED;
conn->right.sendcert = CERT_SEND_IF_ASKED;