Option to Fragment IP Packets Before IPSec Encapsulation
A new ip-fragmentation
option has been added to control fragmentation of packets before IPsec encapsulation, which can benefit packet loss in some environments.
The following options are available for the ip-fragmentation
variable:
Option |
Description |
---|---|
pre-encapsulation | Fragment before IPsec encapsulation. |
post-encapsulation (default value) | Fragment after IPsec encapsulation (RFC compliant). |
You can only control this option using the CLI:
config vpn ipsec phase1-interface
edit "demo"
set interface "port1"
set authmethod signature
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set ip-fragmentation pre-encapsulation
set remote-gw 172.16.200.4
set certificate "Fortinet_Factory"
next
end