Sriram, Thanks for the reminder; I forgot to update this thread.
I got the same result as you when I tried this. I have not found any other work around using StrongSwan, so I modified my app to be MTU aware and adjust in real time. Harry On Apr 13, 2015 10:31 PM, "Sriram" <[email protected]> wrote: > Hi Harry, > > This is Sriram. When I happen to check strongswan mailing list, I found > the mail chain below and found it relevant to what I was looking for. > > I set that kernel-netlink.mtu to 1200 and found that any packet exceeding > 1200 packet size got fragmented but only after encryption. > Is there any option available to achieve prefragmentation i.e > fragmentation before encryption, if not is there any workaround ? > > > Regards, > Sriram. > > > > ---------- Forwarded message ---------- > From: Harry Chan-Maestas <[email protected]> > Date: Sun, Mar 8, 2015 at 5:57 AM > Subject: Re: [strongSwan] StrongSwan support for IPsec pre-fragmentation > To: [email protected] > > > Hi Noel, > > Thank you very much for the hint. I will give it a try. > > Harry > > On Sat, Mar 7, 2015 at 6:53 AM, Noel Kuntze <[email protected]> > wrote: > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hello Harry, >> >> As IPsec processing is done by the kernel using policies and the routing >> is configured using the routing table, >> you need to set the MTU on the routes to your endpoints. As strongSwan >> manages its own routing table, you >> need to make strongSwan set the MTU by itself. >> You can make it do that by setting charon.plugins.kernel-netlink.mtu in >> strongswan.conf to the MTU you want. >> That option is available since version 5.2.2. >> >> Mit freundlichen Grüßen/Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> Am 07.03.2015 um 02:42 schrieb Harry Chan-Maestas: >> > Hi, >> > >> > I am a new StrongSwan user, having switched recently from racoon, and I >> have a question about IPsec packet fragmentation. >> > >> > In racoon, there is a configuration option "esp_frag". When enabled, >> racoon will set IPsec to fragment jumbo frames before ESP is applied. I >> have been look through StrongSwan's Wiki, but have not found any >> configuration options which would achieve that effect. >> > >> > Would anyone have some suggestions on alternative methods I can take? >> > >> > Any help would be appreciated. >> > >> > Thank you, >> > >> > Harry >> > >> > >> > _______________________________________________ >> > Users mailing list >> > [email protected] >> > https://lists.strongswan.org/mailman/listinfo/users >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJU+xDbAAoJEDg5KY9j7GZY+e4P+QFNuf6AfB+Byio43SKDXIkN >> nVSDmO9s5KO3jiPNNVL3XrSgCI+IKveL4SXe87cy3anoVfVwIEYSPhctPFkk3tDZ >> BEY+ztGqgJXK8JM9jjeuSQrkj2OzNrLgbbEvojiJMcI8MpfYRx6i/IgJHjECyOm0 >> fsAouwTfK3PcPv9LT9g1bQX1VP3CmdTzG+NQ68cxkG96p+zWajaG/vasHS49uqeA >> 6QyJBZXFXmD0fTGrkCE8B3HQTBuZvbA37allNk83wi5VdJ/MIIsxC1Ql86cDhRUs >> 52TnYRWnVzSQZWLw999HS1FyoPpVC60ikUkD5FMQCqtaegT2qvmTvgsyL+DZVga6 >> Jsc4UV4A3zmVuuETl4ufE7gE+HegA7Y/qcLXpqCW8GVs125wI+hu2VKG9kVipQSi >> hDhBws9waKvxKIL7hy2bhELIlU3r3QPUesFRP1Xu/Vq1Nu/j1t1LkQX30e6e1qQ5 >> 5r90YUHOsOuUlYJS8NhVBlp3r23TwR+u1xivo3K9XmYPXb6Vi4Th0UHPwKkbrEyV >> TNyt6h/qYol/spr/mAYnZ7zGwNjUzZRDMoiN/OpJt7iHH8X0reoDiwgIf+9wA1Sx >> J5MK9I854j8fHrKsAKbuypQzCk3EFVg1UtayOwgZIh/XU0aAEDc4Ov2b7j3ugx/g >> hGWpeY1h/l+C0Qtp3S3g >> =/HB+ >> -----END PGP SIGNATURE----- >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
