aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/config/ike_cfg.h8
-rw-r--r--src/libcharon/plugins/vici/vici_config.c1
-rw-r--r--src/starter/args.c1
-rw-r--r--src/starter/confread.h1
-rw-r--r--src/swanctl/swanctl.opt18
5 files changed, 19 insertions, 10 deletions
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 4d37264f6..034996f60 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -47,14 +47,16 @@ enum ike_version_t {
};
/**
- * Proprietary IKEv1 fragmentation
+ * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
*/
enum fragmentation_t {
/** disable fragmentation */
FRAGMENTATION_NO,
- /** enable fragmentation if supported by peer */
+ /** announce support, but don't send any fragments */
+ FRAGMENTATION_ACCEPT,
+ /** enable fragmentation, if supported by peer */
FRAGMENTATION_YES,
- /** force use of fragmentation (even for the first message) */
+ /** force use of fragmentation (even for the first message for IKEv1) */
FRAGMENTATION_FORCE,
};
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 12497ec5e..baa350784 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -1336,6 +1336,7 @@ CALLBACK(parse_frag, bool,
{
enum_map_t map[] = {
{ "yes", FRAGMENTATION_YES },
+ { "accept", FRAGMENTATION_ACCEPT },
{ "no", FRAGMENTATION_NO },
{ "force", FRAGMENTATION_FORCE },
};
diff --git a/src/starter/args.c b/src/starter/args.c
index 0874cc7e5..7f010d350 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -110,6 +110,7 @@ static const char *LST_authby[] = {
static const char *LST_fragmentation[] = {
"no",
+ "accept",
"yes",
"force",
NULL
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 45f34ce23..2b974d1bc 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -65,6 +65,7 @@ typedef enum {
typedef enum {
/* same as in ike_cfg.h */
FRAGMENTATION_NO,
+ FRAGMENTATION_ACCEPT,
FRAGMENTATION_YES,
FRAGMENTATION_FORCE,
} fragmentation_t;
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index bdd92177f..96dfd3a61 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -154,15 +154,19 @@ connections.<conn>.dpd_timeout = 0s
specified; this option has no effect on connections using IKE2.
connections.<conn>.fragmentation = yes
- Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_).
+ Use IKE UDP datagram fragmentation. (_yes_, _accept_, _no_ or _force_).
Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
- fragmentation). Acceptable values are _yes_ (the default), _force_ and
- _no_. Fragmented IKE messages sent by a peer are always accepted
- irrespective of the value of this option. If set to _yes_, and the peer
- supports it, oversized IKE messages will be sent in fragments. If set to
- _force_ (only supported for IKEv1) the initial IKE message will already
- be fragmented if required.
+ fragmentation). Acceptable values are _yes_ (the default), _accept_,
+ _force_ and _no_. If set to _yes_, and the peer supports it, oversized IKE
+ messages will be sent in fragments. If set to _accept_, support for
+ fragmentation is announced to the peer but the daemon does not send its own
+ messages in fragments. If set to _force_ (only supported for IKEv1) the
+ initial IKE message will already be fragmented if required. Finally, setting
+ the option to _no_ will disable announcing support for this feature.
+
+ Note that fragmented IKE messages sent by a peer are always accepted
+ irrespective of the value of this option (even when set to _no_).
connections.<conn>.send_certreq = yes
Send certificate requests payloads (_yes_ or _no_).