From 365d9a6f67739bdc4c43130eec362ad97414762c Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 24 Dec 2012 12:59:30 +0100
Subject: Added an option that allows to force IKEv1 fragmentation

---
 man/ipsec.conf.5.in | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'man/ipsec.conf.5.in')

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 01c7c3848..2766cc4ed 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -403,15 +403,20 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
-.BR fragmentation " = yes | " no
+.BR fragmentation " = yes | force | " no
 whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
 values are
-.B yes
+.BR yes ,
+.B force
 and
 .B no
 (the default). Fragmented messages sent by a peer are always accepted
-irrespective of the value of this option. If enabled, and the peer supports it,
-larger IKE messages will be sent in fragments.
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
 .TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
-- 
cgit v1.2.3