fragmentation before-encryption

Function

The fragmentation before-encryption command configures a packet fragmentation mode for an IPSec tunnel as fragmentation before encryption.

The undo fragmentation before-encryption command restores the default packet fragmentation mode for an IPSec tunnel.

By default, the packet fragmentation mode for an IPSec tunnel is fragmentation after encryption.

Format

fragmentation before-encryption

undo fragmentation before-encryption

Parameters

None

Views

Manual IPSec policy view, ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an original packet is encapsulated, the packet length may exceed the maximum transmission unit (MTU) of the device outbound interface. To prevent packet loss, fragment the packets. The following fragmentation modes are available:

Fragmentation before encryption: Before encapsulation, the encryption device calculates the predicted encapsulated packet length. If the packet length is larger than the MTU of the outbound interface, the encryption device fragments packets, and then encrypts the packets. In this situation, the decryption device requests the terminal to reassemble the packets, reducing the CPU usage on the decryption device.
Fragmentation after encryption: If the size of the encapsulated IPSec packets exceeds the MTU of the outbound interface, the encryption device fragments the packets based on the MTU of the outbound interface. In this case, the peer decryption device assembles and decrypts IPSec fragments and then sends decrypted packets to the terminal host.

The packet fragmentation mode of fragmentation before encryption can be configured globally or on an IPSec tunnel. The packet fragmentation mode configured on an IPSec tunnel is valid for only this IPSec tunnel. If the packet fragmentation mode of an IPSec tunnel is different, run this command.

Precautions

This command just configures a packet fragmentation mode. If the packet fragmentation mode is fragmentation before encryption, check the DF bit of original packets. If the packet fragmentation mode is fragmentation after encryption, check the DF bit of packets encapsulated with the IPSec header.In a scenario where the IPsec fragmentation before encryption function is enabled, if you run the ipsec fragmentation ignore df-bit command to enable the function of ignoring the DF flag bit of the original packet, the original packet is fragmented before being encrypted, regardless of whether the value of the DF flag bit of the original packet is 0.

In transport mode, fragmentation before encryption is not supported.

Before IPSec packets can be fragmented, the ipsec df-bit command must be configured to permit IPSec packet fragmentation.

For the established IPSec tunnels, you need to restart them after running this command. Otherwise, the command function does not take effect.

Example

# Set the fragmentation mode of IPSec packets to fragmentation before encryption.

<sysname> system-view
[sysname] ipsec policy poli 10 isakmp
[sysname-ipsec-policy-isakmp-poli-10] fragmentation before-encryption