aboutsummaryrefslogtreecommitdiffstats
path: root/src/swanctl/swanctl.opt
diff options
context:
space:
mode:
Diffstat (limited to 'src/swanctl/swanctl.opt')
-rw-r--r--src/swanctl/swanctl.opt17
1 files changed, 9 insertions, 8 deletions
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index ef38d5d86..591204ef8 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -140,14 +140,15 @@ connections.<conn>.dpd_timeout = 0s
specified; this option has no effect on connections using IKE2.
connections.<conn>.fragmentation = no
- Use IKEv1 UDP packet fragmentation (_yes_, _no_ or _force_).
-
- The default of _no_ disables IKEv1 fragmentation mechanism, _yes_ enables
- it if support has been indicated by the peer. _force_ enforces
- fragmentation if required even before the peer had a chance to indicate
- support for it.
-
- IKE fragmentation is currently not supported with IKEv2.
+ Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_).
+
+ Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
+ fragmentation). Acceptable values are _yes_, _force_ and _no_ (the
+ default). Fragmented IKE messages sent by a peer are always accepted
+ irrespective of the value of this option. If set to _yes_, and the peer
+ supports it, oversized IKE messages will be sent in fragments. If set to
+ _force_ (only supported for IKEv1) the initial IKE message will already
+ be fragmented if required.
connections.<conn>.send_certreq = yes
Send certificate requests payloads (_yes_ or _no_).
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-13 10:51:19 +0000