IKE (IKE_AUTH) message fragmentation

The AIX® operating system supports fragmentation of IKE (IKE_AUTH) messages with Version 2 (IKEv2).

Note: The AIX operating system does not support IKE (IKE_AUTH) message fragmentation on IKExxx Version 1 (IKEv1).

IKEv2 uses User Datagram Protocol (UDP) traffic to exchange IKE messages. Most IKE (IKE_AUTH) messages are small in size. If you use IKE certificates, the size of the IKE_AUTH message might be large. As a result, the size of the maximum transmission unit (MTU) exceeds beyond the allowed limit at the IP layer, which causes fragmentation of large messages. Few routers block IP fragments and remove them from the queue, which prevents the creation of IP Security (IPsec) tunnels.

In AIX operating system, the IPsec tunnel fragments large IKE(IKE_AUTH) messages by using the IKE_FRAGMENTATION parameter that is enabled in the /etc/isakmpd.conf file. IKEv2 fragmentation is implemented by using RFC7383.

To enable IKE (IKE_AUTH) message fragmentation, set the IKE_FRAGMENTATION parameter in the /etc/isakmpd.conf file.
IKE_FRAGMENTATION = YES or NO (default NO)
If you set to the IKE_FRAGMENTATION parameter to YES on the local and remote nodes, the IKE messages are fragmented. If you set the IKE_FRAGMENTATION parameter to NO on any one node (local or remote), the AIX operating system does not fragment IKE (IKE_AUTH) messages and does not send or receive the fragmented IKE (IKE_AUTH) message.
Note: For IPv4, if you set the IKE_FRAGMENTATION parameter to YES, the size of the fragmented IKE_AUTH message fragment is less than or equal to 576. For IPv6, if you set the IKE_FRAGMENTATION parameter to YES, the size of the fragmented IKE (IKE_AUTH) message is less than or equal to 1280.