Fortinet black logo

Cookbook

Fragmenting IP packets before IPsec encapsulation

Copy Link
Copy Doc ID 5ede200c-a21f-11eb-b70b-00505692583a:814752
Download PDF

Fragmenting IP packets before IPsec encapsulation

The ip-fragmentation command controls packet fragmentation before IPsec encapsulation, which can benefit packet loss in some environments.

The following options are available for the ip-fragmentation variable.

Option

Description

pre-encapsulation Fragment before IPsec encapsulation.
post-encapsulation (default value) Fragment after IPsec encapsulation (RFC compliant).
To configure packet fragmentation using the CLI:

config vpn ipsec phase1-interface

edit "demo"

set interface "port1"

set authmethod signature

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set ip-fragmentation pre-encapsulation

set remote-gw 172.16.200.4

set certificate "Fortinet_Factory"

next

end

Fragmenting IP packets before IPsec encapsulation

The ip-fragmentation command controls packet fragmentation before IPsec encapsulation, which can benefit packet loss in some environments.

The following options are available for the ip-fragmentation variable.

Option

Description

pre-encapsulation Fragment before IPsec encapsulation.
post-encapsulation (default value) Fragment after IPsec encapsulation (RFC compliant).
To configure packet fragmentation using the CLI:

config vpn ipsec phase1-interface

edit "demo"

set interface "port1"

set authmethod signature

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set ip-fragmentation pre-encapsulation

set remote-gw 172.16.200.4

set certificate "Fortinet_Factory"

next

end