Avoiding IP fragmentation with IKEv1 Machine Certificate Authentication
When you setup from a Windows 7 (or Vista) client a L2TP/IPsec connection to a Windows 2008 R2 RRAS server and use Machine Certificate Authentication then the IPsec main mode messages 5 & 6 containing the certificates will very likely be fragmented by
the TCP/IP stack, simply because the message are just too big for one IP packet.
On the other hand the client and server report in main mode message 1 & 2 the capability "VendorID: FRAGMENTATION". The goal of that capability is to fragment the message at the IKE application level to avoid fragmentation at the IP level. So far so
good.
We've seen that some older sharing/NAT device doesn't like very much IP fragments with the result that the IPsec main mode negotiation fails at the authentication phase. Now to avoid such problems you can enforce at the RRAS server fragmentation at the IKE
application level by enabling the setting Enable fragmentation checking on the public facing interface. Apparently the RRAS server will then ignore any IP fragments and never send IP fragments itself. The result is that the client will first
try to send the main mode message 5 by fragmenting it at the IP level and when no timely response is received then switchover to fragmentation at the IKE application level.
The downsize of this approach is that we have to wait a number of seconds (i've seen 3 - 5 seconds) before that will happen. The obvious question is therefore: how can we enforce on the Windows 7 and Vista client the use of fragmentation at the IKE
application level too?
Best Regards,
Stefaan
May 1st, 2011 9:23am
Hi Leo,
hmm... the question is: how can we enforce on the Windows 7 and Vista client the use of fragmentation at the IKE application level too? I agree it has a relationship with the RRAS server, but there we can apply at least the setting
"Enable fragmentation checking" on the public facing interface.
Best Regards,
Stefaan
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2011 5:57am
Hi Stefaan,
Based on my researched, Windows 7 has not the function to enforce the
use of fragmentation at the IKE application.
I also checked on the server, the result is the same of yours, there is only an option of “enable fragmentation checking”.
Thank you for your understanding.
Regards,
Leo
Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 2nd, 2011 6:59am
Hi,
I notice our senior Engineer has reply on
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/022133fe-9e04-42ea-a1b9-c3ad09936203/
Please kindly focus that thread and hope that helps.
Regards,
Leo
Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2011 7:28am