Fortinet black logo

IKE fragmentation example

IKE fragmentation example

This section provides an example of a non-default IPsec VPN configuration. You can use this configuration if FortiClient fails to connect to IPsec VPN and you see the following symptoms:

  • When you view the FortiGate IKE and FortiClient debug logs, they show that FortiClient fails at phase-1.
  • Packet capture shows that FortiGate sends some IKE packets with a packet length that is longer than the usual Ethernet packet with regards to MTU, but FortiClient does not receive those packets.

In this case, you can try IKE fragmentation. You must make changes to the FortiGate and FortiClient configurations.

To configure the FortiGate:

Enable IKE fragmentation on the FortiGate using the following FortiOS CLI commands:

config vpn ipsec phase1-interface

edit <your IPsec VPN>

set fragmentation enable

next

end

To configure FortiClient:

Enable IKE fragmentation on FortiClient using the following XML configuration:

<ipsecvpn>

<connections>

<connection>

<name>your IPsec VPN</name>

<ike_settings>

<enable_ike_fragmentation>1</enable_ike_fragmentation>

IKE fragmentation example

This section provides an example of a non-default IPsec VPN configuration. You can use this configuration if FortiClient fails to connect to IPsec VPN and you see the following symptoms:

  • When you view the FortiGate IKE and FortiClient debug logs, they show that FortiClient fails at phase-1.
  • Packet capture shows that FortiGate sends some IKE packets with a packet length that is longer than the usual Ethernet packet with regards to MTU, but FortiClient does not receive those packets.

In this case, you can try IKE fragmentation. You must make changes to the FortiGate and FortiClient configurations.

To configure the FortiGate:

Enable IKE fragmentation on the FortiGate using the following FortiOS CLI commands:

config vpn ipsec phase1-interface

edit <your IPsec VPN>

set fragmentation enable

next

end

To configure FortiClient:

Enable IKE fragmentation on FortiClient using the following XML configuration:

<ipsecvpn>

<connections>

<connection>

<name>your IPsec VPN</name>

<ike_settings>

<enable_ike_fragmentation>1</enable_ike_fragmentation>