Option to Fragment IP Packets Before IPSec Encapsulation

6.2.0

Copy Link

Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:635469

Download PDF

Option to Fragment IP Packets Before IPSec Encapsulation

A new ip-fragmentation option has been added to control fragmentation of packets before IPsec encapsulation, which can benefit packet loss in some environments.

The following options are available for the ip-fragmentation variable:

Option	Description
pre-encapsulation	Fragment before IPsec encapsulation.
post-encapsulation (default value)	Fragment after IPsec encapsulation (RFC compliant).

You can only control this option using the CLI:

config vpn ipsec phase1-interface

edit "demo"

set interface "port1"

set authmethod signature

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set ip-fragmentation pre-encapsulation

set remote-gw 172.16.200.4

set certificate "Fortinet_Factory"

end

Option to Fragment IP Packets Before IPSec Encapsulation

A new ip-fragmentation option has been added to control fragmentation of packets before IPsec encapsulation, which can benefit packet loss in some environments.

The following options are available for the ip-fragmentation variable:

Option	Description
pre-encapsulation	Fragment before IPsec encapsulation.
post-encapsulation (default value)	Fragment after IPsec encapsulation (RFC compliant).

You can only control this option using the CLI:

config vpn ipsec phase1-interface

edit "demo"

set interface "port1"

set authmethod signature

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set ip-fragmentation pre-encapsulation

set remote-gw 172.16.200.4

set certificate "Fortinet_Factory"

end