From e333d4c0f10ee4d8f2592d2ece8264c8c675fd1e Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Sat, 9 Jan 2016 00:06:12 +0100 Subject: [PATCH] swanctl.conf: IKEv2 fragmentation supported --- src/swanctl/swanctl.opt | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index ef38d5d..591204e 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -140,14 +140,15 @@ connections..dpd_timeout = 0s specified; this option has no effect on connections using IKE2. connections..fragmentation = no - Use IKEv1 UDP packet fragmentation (_yes_, _no_ or _force_). - - The default of _no_ disables IKEv1 fragmentation mechanism, _yes_ enables - it if support has been indicated by the peer. _force_ enforces - fragmentation if required even before the peer had a chance to indicate - support for it. - - IKE fragmentation is currently not supported with IKEv2. + Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_). + + Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 + fragmentation). Acceptable values are _yes_, _force_ and _no_ (the + default). Fragmented IKE messages sent by a peer are always accepted + irrespective of the value of this option. If set to _yes_, and the peer + supports it, oversized IKE messages will be sent in fragments. If set to + _force_ (only supported for IKEv1) the initial IKE message will already + be fragmented if required. connections..send_certreq = yes Send certificate requests payloads (_yes_ or _no_). -- 2.7.4