5 files changed, 19 insertions, 10 deletions

diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index 4d37264f6..034996f60 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -47,14 +47,16 @@ enum ike_version_t {
 };
 
 /**
- * Proprietary IKEv1 fragmentation
+ * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
  */
 enum fragmentation_t {
 	/** disable fragmentation */
 	FRAGMENTATION_NO,
-	/** enable fragmentation if supported by peer */
+	/** announce support, but don't send any fragments */
+	FRAGMENTATION_ACCEPT,
+	/** enable fragmentation, if supported by peer */
 	FRAGMENTATION_YES,
-	/** force use of fragmentation (even for the first message) */
+	/** force use of fragmentation (even for the first message for IKEv1) */
 	FRAGMENTATION_FORCE,
 };
 
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 12497ec5e..baa350784 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -1336,6 +1336,7 @@ CALLBACK(parse_frag, bool,
 {
 	enum_map_t map[] = {
 		{ "yes",		FRAGMENTATION_YES		},
+		{ "accept",		FRAGMENTATION_ACCEPT	},
 		{ "no",			FRAGMENTATION_NO		},
 		{ "force",		FRAGMENTATION_FORCE		},
 	};
diff --git a/src/starter/args.c b/src/starter/args.c
index 0874cc7e5..7f010d350 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -110,6 +110,7 @@ static const char *LST_authby[] = {
 
 static const char *LST_fragmentation[] = {
 	"no",
+	"accept",
 	"yes",
 	"force",
 	 NULL
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 45f34ce23..2b974d1bc 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -65,6 +65,7 @@ typedef enum {
 typedef enum {
 		/* same as in ike_cfg.h */
 		FRAGMENTATION_NO,
+		FRAGMENTATION_ACCEPT,
 		FRAGMENTATION_YES,
 		FRAGMENTATION_FORCE,
 } fragmentation_t;
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index bdd92177f..96dfd3a61 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -154,15 +154,19 @@ connections.<conn>.dpd_timeout = 0s
 	specified; this option has no effect on connections using IKE2.
 
 connections.<conn>.fragmentation = yes
-	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
+	Use IKE UDP datagram fragmentation.  (_yes_, _accept_, _no_ or _force_).
 
 	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
-	fragmentation).  Acceptable  values  are _yes_ (the	default), _force_ and
-	_no_. Fragmented IKE messages sent by a peer are always accepted
-	irrespective of  the  value  of  this option. If set to _yes_, and the peer
-	supports it, oversized IKE messages will be sent in fragments.  If set  to
-	_force_  (only  supported  for IKEv1) the initial IKE message will already
-	be fragmented if required.
+	fragmentation).  Acceptable  values  are _yes_ (the	default), _accept_,
+	_force_ and _no_. If set to _yes_, and the peer	supports it, oversized IKE
+	messages will be sent in fragments. If set to _accept_, support for
+	fragmentation is announced to the peer but the daemon does not send its own
+	messages in fragments.  If set to _force_ (only supported for IKEv1) the
+	initial IKE message will already be fragmented if required. Finally, setting
+	the option to _no_ will disable announcing support for this feature.
+
+	Note that fragmented IKE messages sent by a peer are always accepted
+	irrespective of the value of this option (even when set to _no_).
 
 connections.<conn>.send_certreq = yes
 	Send certificate requests payloads (_yes_ or _no_).