[Swan-commit] Changes to ref refs/heads/fragmentation
Paul Wouters
paul at vault.libreswan.fi
Tue Jan 22 06:16:57 EET 2013
New commits:
commit 88e33b64be8a5c439d51ac75f5a243bbabf989e4
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 23:16:36 2013 -0500
* IKEv1: Support for receiving IKEv1 fragments (not RFC)
added support for incoming fragmented ike packets to solve iOS6 (iphone)
problems. This is often the case when large X.509 certificates are used.
Some third-party vendor devices, such as firewalls configured for stateful
packet inspection, do not permit the passthrough of User Datagram Protocol
(UDP) fragments in case they are part of a fragmentation attack. If
fragments are not passed through, Internet Key Exchange (IKE) negotiation
fails because the intended responder for the virtual private network (VPN)
tunnel cannot reconstruct the IKE packet and proceed with establishment
of the tunnel.
This feature provides for the fragmentation of large IKE packets into a series
of smaller IKE packets to avoid fragmentation at the UDP layer.
This feature provides support for Cisco IOS in terms of being a responder in an
IKEv1 main mode exchange.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
More information about the Swan-commit
mailing list