The Fragmentation of IKE Packets feature provides for the fragmentation of large IKE packets into a series of smaller IKE
packets to avoid fragmentation at the UDP layer (for example, for large certificate payloads or certificate request payloads).
The original IKE packet is checked for size against the minimum possible maximum transmission unit (MTU) size of 576 bytes
and split into a series of smaller fragments. Each fragment is an individual IKE packet that has its own IKE header and is
afforded the same protection as negotiated at the start of the IKE exchange.
A vendor_ID indicates the capability of the initiator to support IKE fragmentation. The Cisco IOS responder, if configured
to support IKE fragmentation, responds with the same vendor_ID, thus acknowledging the capability to support IKE fragmentation
if required.
The vendor_IDs are exchanged in the first two main-mode exchanges so that fragmentation of packets does not occur until at
least the main mode 3 (MM3) exchange.
This feature provides support for Cisco IOS in terms of being a responder in an IKE main mode exchange.
After the capabilities have been agreed upon, fragmentation occurs automatically.
If all fragments in a series are not received within the normal course of the IKE exchanges, current IKE retransmission processes
are used to request that information be resent.
Note |
If an IKE packet is not greater than 576 bytes in size, the packet is not fragmented.
|
This feature is supported for IKE via port 500, IKE via port 4500 (NAT-T), and TCP wrappers.
After configuration, the feature is enabled on the router in global configuration mode so that all incoming IKE connection
requests are possible candidates for fragmentation.