ipsec fragmentation before-encryption

Function

The ipsec fragmentation before-encryption command sets the fragmentation mode of packets to fragmentation before encryption for all IPSec tunnels.

The undo ipsec fragmentation before-encryption command restores the default packet fragmentation mode.

By default, the packet fragmentation mode for all IPSec tunnels is fragmentation after encryption.

The virtual system does not support this command.

Format

ipsec fragmentation before-encryption

undo ipsec fragmentation before-encryption

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an original packet is encapsulated, the packet length may exceed the MTU of the device outbound interface. To prevent packet loss, the device fragments the packets. Two fragmentation modes are available:

Fragmentation before encryption: Before encapsulation, the encryption device calculates the predicted encapsulated packet length. If the packet length is larger than the MTU of the outbound interface, the encryption device fragments packets, and then encrypts the packets. In this situation, the decryption device requests the terminal to reassemble the packets, reducing the CPU usage on the decryption device.
Fragmentation after encryption: If the size of the encapsulated VPN packets exceeds the MTU of the outbound interface, the encryption device fragments the packets based on the MTU of the outbound interface. In this case, the peer decryption device assembles and decrypts VPN fragments and then sends decrypted packets to the terminal host.

The fragmentation before encryption mode can be configured globally or on an IPSec tunnel. The packet fragmentation mode configured globally is valid for all IPSec tunnels.

Precautions

Before IPSec packets can be fragmented, the ipsec df-bit command must be configured to permit IPSec packet fragmentation.

If the fragmentation command has been executed to configure a packet fragmentation mode for a specified IPSec tunnel, the IPSec tunnel uses the configured packet fragmentation mode.

In transport mode, fragmentation before encryption is not supported.

This command just specifies how the IPSec tunnels process packets. However, whether a packet is fragmented depends on:

The DF bit in IP header of the original packet if the fragmentation before encryption mode is selected
The DF bit in IPSec header if the fragmentation after encryption mode is selected

In a scenario where the IPsec fragmentation before encryption function is enabled, if you run the ipsec fragmentation ignore df-bit command to enable the function of ignoring the DF flag bit of the original packet, the original packet is fragmented before being encrypted, regardless of whether the value of the DF flag bit of the original packet is 0.

For the established IPSec tunnels, you need to restart them after running this command. Otherwise, the command function does not take effect.

Example

# Set the fragmentation mode of IPSec packets to fragmentation before encryption.

<sysname> system-view
[sysname] ipsec fragmentation before-encryption