From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Fri, 8 Jan 2016 23:06:12 +0000 (+0100)
Subject: swanctl.conf:  IKEv2 fragmentation supported
X-Git-Tag: 5.4.0dr4~8
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=e333d4c0f10ee4d8f2592d2ece8264c8c675fd1e;ds=inline

swanctl.conf:  IKEv2 fragmentation supported
---

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index ef38d5d..591204e 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -140,14 +140,15 @@ connections.<conn>.dpd_timeout = 0s
 	specified; this option has no effect on connections using IKE2.
 
 connections.<conn>.fragmentation = no
-	Use IKEv1 UDP packet fragmentation (_yes_, _no_ or _force_).
-
-	The default of _no_ disables IKEv1 fragmentation mechanism, _yes_ enables
-	it if support has been indicated by the peer. _force_ enforces
-	fragmentation if required even before the peer had a chance to indicate
-	support for it.
-
-	IKE fragmentation is currently not supported with IKEv2.
+	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
+
+	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
+	fragmentation).  Acceptable  values  are _yes_, _force_ and _no_ (the
+	default). Fragmented IKE messages sent by a peer are always accepted
+	irrespective of  the  value  of  this option. If set to _yes_, and the peer
+	supports it, oversized IKE messages will be sent in fragments.  If set  to
+	_force_  (only  supported  for IKEv1) the initial IKE message will already
+	be fragmented if required.
 
 connections.<conn>.send_certreq = yes
 	Send certificate requests payloads (_yes_ or _no_).