Add an option to en-/disable IKE fragmentation

Fragments are always accepted but will not be sent if disabled. The vendor ID is only sent if the option is enabled.
2025-10-06 00:00:47 -04:00 · 2012-12-21 18:27:02 +01:00 · 2012-12-21 18:27:02 +01:00 · 2f62bb1549
commit 2f62bb1549
parent 5cafefcd5d
3 changed files with 25 additions and 5 deletions
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@ -178,6 +178,11 @@ openly transmitted hash of the PSK)
 .BR charon.ignore_routing_tables
 A space-separated list of routing tables to be excluded from route lookups
 .TP
+.BR charon.ike_fragmentation " [no]"
+Enables IKE fragmentation (proprietary IKEv1 extension). Fragmented messages
+are always accepted irrespective of the value of this option. If the peer
+supports it larger messages will be sent in fragments.
+.TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
 .TP
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@ -225,6 +225,11 @@ struct private_task_manager_t {

 	} frag;

+	/**
+	 * TRUE if fragmentation (as sender) is enabled in config
+	 */
+	bool fragmentation;
+
 	/**
 	 * List of queued tasks not yet in action
 	 */
@ -411,7 +416,7 @@ static bool send_packet(private_task_manager_t *this, bool request,

 	data = packet->get_data(packet);
 	if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_FRAGMENTATION) &&
-		data.len > MAX_FRAGMENT_SIZE)
+		this->fragmentation && data.len > MAX_FRAGMENT_SIZE)
 	{
 		fragment_payload_t *fragment;
 		u_int8_t num, count;
@ -1996,6 +2001,8 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
 		.retransmit_base = lib->settings->get_double(lib->settings,
 					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+		.fragmentation = lib->settings->get_bool(lib->settings,
+					"%s.ike_fragmentation", FALSE, charon->name),
 	);

 	if (!this->rng)
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@ -155,18 +155,26 @@ METHOD(task_t, build, status_t,
 	private_isakmp_vendor_t *this, message_t *message)
 {
 	vendor_id_payload_t *vid_payload;
-	bool strongswan, cisco_unity;
+	bool strongswan, cisco_unity, fragmentation;
 	int i;

 	strongswan = lib->settings->get_bool(lib->settings,
-									"%s.send_vendor_id", FALSE, charon->name);
+								"%s.send_vendor_id", FALSE, charon->name);
 	cisco_unity = lib->settings->get_bool(lib->settings,
-									"%s.cisco_unity", FALSE, charon->name);
+								"%s.cisco_unity", FALSE, charon->name);
+	fragmentation = lib->settings->get_bool(lib->settings,
+								"%s.ike_fragmentation", FALSE, charon->name);
+	if (!this->initiator && fragmentation)
+	{
+		fragmentation = this->ike_sa->supports_extension(this->ike_sa,
+														 EXT_IKE_FRAGMENTATION);
+	}
 	for (i = 0; i < countof(vendor_ids); i++)
 	{
 		if (vendor_ids[i].send ||
 		   (vendor_ids[i].extension == EXT_STRONGSWAN && strongswan) ||
-		   (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity))
+		   (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity) ||
+		   (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation))
 		{
 			DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc);
 			vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,