< Home

ikev2 fragmentation

Function

The ikev2 fragmentation command enables IKEv2 packet fragmentation.

The undo ikev2 fragmentation command disables IKEv2 packet fragmentation.

By default, IKEv2 packet fragmentation is disabled.

Format

ikev2 fragmentation [ mtu mtu-size ]

undo ikev2 fragmentation

Parameters

Parameter Description Value
mtu mtu-size Specifies the MTU value.

The value is an integer that ranges from 200 to 1500, in seconds. The default value is 576 for an IPv4 packet and 1280 for an IPv6 packet.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During IKEv2 negotiation, if the length of an encrypted IKEv2 packet exceeds the MTU of the outbound interface of the device, the device fragments the IKEv2 packet for transmission. However, some network devices (such as firewalls and NAT devices) do not permit UDP fragments because of attack defense. As a result, IKEv 2 fragments are discarded and IKEv2 negotiation between the IKE peers fails. In this case, you need to run the ikev2 fragmentation command to configure the device to fragment the IKEv2 packet longer than the MTU specified by mtu-size before encrypting it. This configuration prevents the encrypted IKEv2 packet from being fragmented before transmission.

Precautions

IKEv2 packet fragmentation must be enabled on both ends. Otherwise, this function does not take effect.

Example

# Enable IKEv2 packet fragmentation and set the MTU to 600.

<sysname> system-view
[sysname] ike peer test
[sysname-ike-peer-test] ikev2 fragmentation mtu 600
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >