(Optional) Configuring IPSec Fragmentation

Context

The length of IPSec-encapsulated packets may exceed the maximum transmission unit (MTU) of the outbound interface on the local device. If the IPSec remote device does not support fragmentation and reassembly, it cannot decapsulate packets and will discard or incorrectly process packets, affecting packet transmission.

To prevent this problem, configure IPSec fragmentation before encryption on the local device. Subsequently, the local device calculates the length of encapsulated packets. If the length exceeds the MTU, the device fragments the packets and then encapsulates each fragment. After packets reach the IPSec remote device, the remote device can decapsulate the fragments without having to reassemble them. The decapsulated packets will be forwarded normally.

IPSec fragmentation before encryption can be configured globally or on an IPSec tunnel. The packet fragmentation mode configured globally is valid for all IPSec tunnels, and the packet fragmentation mode configured on an IPSec tunnel is valid for only the IPSec tunnel.

Procedure

Configure IPSec fragmentation before encryption globally.
If all or a large number of IPSec packets use the same fragmentation mode, perform the following operations.
1. Run system-view
  The system view is displayed.
2. Run ipsec fragmentation before-encryption
  The fragmentation mode of packets is set to fragmentation before encryption for all IPSec tunnels.
  
  By default, the packet fragmentation mode for all IPSec tunnels is fragmentation after encryption.
  - When the IPsec fragmentation after encryption function is enabled, whether or not a packet is fragmented is subject to the value of the DF flag bit of the IPSec packet. If DF flag settings disable fragmentation when the fragmentation mode is used, run the ipsec df-bit { clear | set | copy } command in the system view to enable fragmentation on IPSec packets.
  - When the IPsec fragmentation before encryption function is enabled, whether or not a packet is fragmented is subject to the value of the DF flag bit of the original packet. You can run the ipsec fragmentation ignore df-bit command to enable the function of ignoring the DF flag bit of the original packet, the original packet is fragmented before being encrypted, regardless of whether the value of the DF flag bit of the original packet is 0.
Configure IPSec fragmentation before encryption on an IPSec policy or IPSec policy template.
If the packet fragmentation mode of an IPSec tunnel is different, perform the following operations.
1. Run system-view
  The system view is displayed.
2. Create an IPSec policy or IPSec policy template.
  - Run ipsec policy policy-name seq-number { manual | isakmp }
    An IPSec policy is created and the IPSec policy view is displayed.
  - Run ipsec policy-template template-name seq-number
    An IPSec policy template is created and the IPSec policy template view is displayed.
  - Run ipsec profile profile-name
    An IPSec profile is created and the IPSec profile view is displayed.
3. Run fragmentation before-encryption
  IPSec fragmentation before encryption is configured for the IPSec policy.
  
  By default, IPSec packets are fragmented after being encrypted.
  - When the IPsec fragmentation after encryption function is enabled, whether or not a packet is fragmented is subject to the value of the DF flag bit of the IPSec packet. If DF flag settings disable fragmentation when the fragmentation mode is used, run the ipsec df-bit { clear | set | copy } command in the system view to enable fragmentation on IPSec packets.
  - When the IPsec fragmentation before encryption function is enabled, whether or not a packet is fragmented is subject to the value of the DF flag bit of the original packet. You can run the ipsec fragmentation ignore df-bit command to enable the function of ignoring the DF flag bit of the original packet, the original packet is fragmented before being encrypted, regardless of whether the value of the DF flag bit of the original packet is 0.
4. Optional: Run ipsec negotiate-mtu [ mtu-value | ipv6 ipv6-mtu-value ]
  Sets the MTU value for IPSec negotiation packets.
  
  By default, the MTU value of IPSec negotiation packets is 1500.
  
  If the MTU of an IPSec negotiation packet is greater than the MTU of an interface, the IPSec negotiation packet will be fragmented for the second time. In this case, you can run the ipsec negotiate-mtu command to tune the MTU value of the IPSec negotiation packet. After an MTU value for IPSec negotiation packets is set, IPSec negotiation packets are fragmented based on this MTU value.