diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/libcharon/config/ike_cfg.h | 8 | ||||
-rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 1 | ||||
-rw-r--r-- | src/starter/args.c | 1 | ||||
-rw-r--r-- | src/starter/confread.h | 1 | ||||
-rw-r--r-- | src/swanctl/swanctl.opt | 18 |
5 files changed, 19 insertions, 10 deletions
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 4d37264f6..034996f60 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -47,14 +47,16 @@ enum ike_version_t { }; /** - * Proprietary IKEv1 fragmentation + * Proprietary IKEv1 fragmentation and IKEv2 fragmentation */ enum fragmentation_t { /** disable fragmentation */ FRAGMENTATION_NO, - /** enable fragmentation if supported by peer */ + /** announce support, but don't send any fragments */ + FRAGMENTATION_ACCEPT, + /** enable fragmentation, if supported by peer */ FRAGMENTATION_YES, - /** force use of fragmentation (even for the first message) */ + /** force use of fragmentation (even for the first message for IKEv1) */ FRAGMENTATION_FORCE, }; diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 12497ec5e..baa350784 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1336,6 +1336,7 @@ CALLBACK(parse_frag, bool, { enum_map_t map[] = { { "yes", FRAGMENTATION_YES }, + { "accept", FRAGMENTATION_ACCEPT }, { "no", FRAGMENTATION_NO }, { "force", FRAGMENTATION_FORCE }, }; diff --git a/src/starter/args.c b/src/starter/args.c index 0874cc7e5..7f010d350 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -110,6 +110,7 @@ static const char *LST_authby[] = { static const char *LST_fragmentation[] = { "no", + "accept", "yes", "force", NULL diff --git a/src/starter/confread.h b/src/starter/confread.h index 45f34ce23..2b974d1bc 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -65,6 +65,7 @@ typedef enum { typedef enum { /* same as in ike_cfg.h */ FRAGMENTATION_NO, + FRAGMENTATION_ACCEPT, FRAGMENTATION_YES, FRAGMENTATION_FORCE, } fragmentation_t; diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index bdd92177f..96dfd3a61 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -154,15 +154,19 @@ connections.<conn>.dpd_timeout = 0s specified; this option has no effect on connections using IKE2. connections.<conn>.fragmentation = yes - Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_). + Use IKE UDP datagram fragmentation. (_yes_, _accept_, _no_ or _force_). Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 - fragmentation). Acceptable values are _yes_ (the default), _force_ and - _no_. Fragmented IKE messages sent by a peer are always accepted - irrespective of the value of this option. If set to _yes_, and the peer - supports it, oversized IKE messages will be sent in fragments. If set to - _force_ (only supported for IKEv1) the initial IKE message will already - be fragmented if required. + fragmentation). Acceptable values are _yes_ (the default), _accept_, + _force_ and _no_. If set to _yes_, and the peer supports it, oversized IKE + messages will be sent in fragments. If set to _accept_, support for + fragmentation is announced to the peer but the daemon does not send its own + messages in fragments. If set to _force_ (only supported for IKEv1) the + initial IKE message will already be fragmented if required. Finally, setting + the option to _no_ will disable announcing support for this feature. + + Note that fragmented IKE messages sent by a peer are always accepted + irrespective of the value of this option (even when set to _no_). connections.<conn>.send_certreq = yes Send certificate requests payloads (_yes_ or _no_). |