Effective with the IKE Fragmentation adhering to RFC feature, the support for the IETF standard fragmentation method is added
the IKE_SA_INIT message as a notify payload, while Cisco proprietary Fragmentation method continues to be indicated using
the Vendor ID payload in the same IKE_SA_INIT message. When fragmentation is enabled, support for both methodologies is displayed
as appropriate in the show crypto ikev2 sa detail command. The maximum transmission unit (MTU) is configured locally and is not negotiated or exchanged along with the messages.
After the INIT exchange, the peers in a network configured with either methodology are aware of the authentication method
that must be used and whether the AUTH message can be fragmented.
The following is a sample output from device when debug is enabled
showing capability negotiation in INIT request message.
*Oct 14 08:45:24.732: IKEv2:(SESSION ID = 0,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 524
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 144
…
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) Next payload: VID, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
VID Next payload: NONE, reserved: 0x0, length: 20
In the above output, the INIT request contains the intiator’s message to
a responder indicating support for both IETF standard fragmentation method and
Cisco proprietary fragmentation method through the
IKEV2_FRAGMENTATION_SUPPORTED and VID values in the message.
The following is a sample output from device when debug is enabled
showing capability negotiation in INIT response message.
*Oct 14 08:45:24.732: IKEv2:(SESSION ID = 0,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 524
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 144
last proposal: 0x0, reserved: 0x0, length: 140
…
NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) Next payload: VID, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED <-------- Response, supporting both
VID Next payload: NONE, reserved: 0x0, length: 20 <-------- Response, supporting both
In the above output, the response request contains the responder’s
message to the initiator indicating support for both IETF standard
fragmentation method and Cisco proprietary fragmentation method through the
IKEV2_FRAGMENTATION_SUPPORTED and VID values in the message.