Merge branch 'enable-fragmentation'

This enables IKE fragmentation by default. And also increases the
default fragment size to 1280 bytes (the default for IPv6).

4 files changed, 6 insertions, 5 deletions

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 224a51923..2110fd31d 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -1980,7 +1980,7 @@ CALLBACK(config_sn, bool,
 		.send_cert = CERT_SEND_IF_ASKED,
 		.version = IKE_ANY,
 		.remote_port = IKEV2_UDP_PORT,
-		.fragmentation = FRAGMENTATION_NO,
+		.fragmentation = FRAGMENTATION_YES,
 		.unique = UNIQUE_NO,
 		.keyingtries = 1,
 		.rekey_time = LFT_UNDEFINED,
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 239e260b1..ceeafcbb8 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -2979,7 +2979,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 		.flush_auth_cfg = lib->settings->get_bool(lib->settings,
 								"%s.flush_auth_cfg", FALSE, lib->ns),
 		.fragment_size = lib->settings->get_int(lib->settings,
-								"%s.fragment_size", 0, lib->ns),
+								"%s.fragment_size", 1280, lib->ns),
 		.follow_redirects = lib->settings->get_bool(lib->settings,
 								"%s.follow_redirects", TRUE, lib->ns),
 	);
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 33924b065..3fb750e51 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -222,6 +222,7 @@ static void conn_defaults(starter_conn_t *conn)
 	conn->dpd_delay             =  30; /* seconds */
 	conn->dpd_timeout           = 150; /* seconds */
 	conn->replay_window         = SA_REPLAY_WINDOW_DEFAULT;
+	conn->fragmentation         = FRAGMENTATION_YES;
 
 	conn->left.sendcert = CERT_SEND_IF_ASKED;
 	conn->right.sendcert = CERT_SEND_IF_ASKED;
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 2a4f5a789..c4d9f86d6 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -139,12 +139,12 @@ connections.<conn>.dpd_timeout = 0s
 	checking. For compatibility reasons, with IKEv1 a custom interval may be
 	specified; this option has no effect on connections using IKE2.
 
-connections.<conn>.fragmentation = no
+connections.<conn>.fragmentation = yes
 	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
 
 	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
-	fragmentation).  Acceptable  values  are _yes_, _force_ and _no_ (the
-	default). Fragmented IKE messages sent by a peer are always accepted
+	fragmentation).  Acceptable  values  are _yes_ (the	default), _force_ and
+	_no_. Fragmented IKE messages sent by a peer are always accepted
 	irrespective of  the  value  of  this option. If set to _yes_, and the peer
 	supports it, oversized IKE messages will be sent in fragments.  If set  to
 	_force_  (only  supported  for IKEv1) the initial IKE message will already