From 0642f42bbeda7686f7e5691ced527a644996b330 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 18 Jul 2016 15:01:07 +0200 Subject: ike: Set default IKE fragment size to 1280 This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4). --- src/libcharon/sa/ike_sa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 239e260b1..ceeafcbb8 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2979,7 +2979,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, .flush_auth_cfg = lib->settings->get_bool(lib->settings, "%s.flush_auth_cfg", FALSE, lib->ns), .fragment_size = lib->settings->get_int(lib->settings, - "%s.fragment_size", 0, lib->ns), + "%s.fragment_size", 1280, lib->ns), .follow_redirects = lib->settings->get_bool(lib->settings, "%s.follow_redirects", TRUE, lib->ns), ); -- cgit v1.2.3 From af662a5170d919aedc4144a0462debd9155a800d Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 18 Jul 2016 15:25:45 +0200 Subject: starter: Enable IKE fragmentation by default --- src/starter/confread.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/starter/confread.c b/src/starter/confread.c index 33924b065..3fb750e51 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -222,6 +222,7 @@ static void conn_defaults(starter_conn_t *conn) conn->dpd_delay = 30; /* seconds */ conn->dpd_timeout = 150; /* seconds */ conn->replay_window = SA_REPLAY_WINDOW_DEFAULT; + conn->fragmentation = FRAGMENTATION_YES; conn->left.sendcert = CERT_SEND_IF_ASKED; conn->right.sendcert = CERT_SEND_IF_ASKED; -- cgit v1.2.3 From d5c6a0bac425d2524516476452747b989c8c5c93 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 18 Jul 2016 15:26:16 +0200 Subject: vici: Enable IKE fragmentation by default --- src/libcharon/plugins/vici/vici_config.c | 2 +- src/swanctl/swanctl.opt | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 224a51923..2110fd31d 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1980,7 +1980,7 @@ CALLBACK(config_sn, bool, .send_cert = CERT_SEND_IF_ASKED, .version = IKE_ANY, .remote_port = IKEV2_UDP_PORT, - .fragmentation = FRAGMENTATION_NO, + .fragmentation = FRAGMENTATION_YES, .unique = UNIQUE_NO, .keyingtries = 1, .rekey_time = LFT_UNDEFINED, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 2a4f5a789..c4d9f86d6 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -139,12 +139,12 @@ connections..dpd_timeout = 0s checking. For compatibility reasons, with IKEv1 a custom interval may be specified; this option has no effect on connections using IKE2. -connections..fragmentation = no +connections..fragmentation = yes Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_). Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 - fragmentation). Acceptable values are _yes_, _force_ and _no_ (the - default). Fragmented IKE messages sent by a peer are always accepted + fragmentation). Acceptable values are _yes_ (the default), _force_ and + _no_. Fragmented IKE messages sent by a peer are always accepted irrespective of the value of this option. If set to _yes_, and the peer supports it, oversized IKE messages will be sent in fragments. If set to _force_ (only supported for IKEv1) the initial IKE message will already -- cgit v1.2.3