Project

General

Profile

Issue #3004

Whether MTU affect IKE package size?

Added by li yang 7 months ago. Updated 6 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.6.3
Resolution:
No change required

Description

Hi expert,

I have two questions:
1. whether external port mtu affect IKE package size? If IKE charon.fragment_size is set by default value.
Currently, I set mtu 576, the IKE package size is 1294. I don't see the MTU impaction.

2. Whether PMTU is applied in IKE packages?
When remote peer sends IKE package size with 576, local peer still sends IKE package with size 1294B.

Expect your reply. Thanks.

History

#1 Updated by Tobias Brunner 7 months ago

  • Status changed from New to Feedback

1. whether external port mtu affect IKE package size? If IKE charon.fragment_size is set by default value.
Currently, I set mtu 576, the IKE package size is 1294. I don't see the MTU impaction.

It only affects IKE packets and only if both peers support the fragmentation extension. It won't have an effect on IPsec traffic.

2. Whether PMTU is applied in IKE packages?
When remote peer sends IKE package size with 576, local peer still sends IKE package with size 1294B.

The packet size for IKE fragmentation is not negotiated (if the MTU is lower, the IP packet itself would get fragmented, though).

#2 Updated by li yang 7 months ago

Tobias Brunner wrote:

1. whether external port mtu affect IKE package size? If IKE charon.fragment_size is set by default value.
Currently, I set mtu 576, the IKE package size is 1294. I don't see the MTU impaction.

It only affects IKE packets and only if both peers support the fragmentation extension. It won't have an effect on IPsec traffic.

So IKE packet size is only affected by charon.fragment_size, not by external port MTU.

2. Whether PMTU is applied in IKE packages?
When remote peer sends IKE package size with 576, local peer still sends IKE package with size 1294B.

The packet size for IKE fragmentation is not negotiated (if the MTU is lower, the IP packet itself would get fragmented, though).

Whether PMTU for IKE is not supported?

#3 Updated by Tobias Brunner 7 months ago

It only affects IKE packets and only if both peers support the fragmentation extension. It won't have an effect on IPsec traffic.

So IKE packet size is only affected by charon.fragment_size, not by external port MTU.

As sent by the daemon, yes. It will get fragmented on the IP layer if the MTU is lower.

Whether PMTU for IKE is not supported?

Again, the fragment size used by the daemon is just as configured, but if the MTU is lower, the packet will get fragmented further.

#4 Updated by li yang 5 months ago

Hi expert,

Sorry to reply late. Currently, I can't see IKE fragement on MTU, as in the beginning said "I set mtu 576, the IKE package size is 1294. I don't see the MTU impaction."

Whether it is an issue?

#5 Updated by Tobias Brunner 5 months ago

Currently, I can't see IKE fragement on MTU, as in the beginning said "I set mtu 576, the IKE package size is 1294. I don't see the MTU impaction."

As I said, the MTU has no effect on how the daemon fragments IKE messages (this is controlled with the strongswan.conf option). However, the IKE messages themselves might get fragmented if the MTU is lower than the message size.

#6 Updated by Tobias Brunner 6 days ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF