Support for IKEv2 Fragmentation (RFC 7383)

There are few threads with people saying that they cannot establish an IPSec VPN connection no matter what, including me (see last posts here). After doing a bit of debugging of the traffic, I found that the problem is IP fragmentation. More specifically the first IKE_AUTH response is a UDP packet >1500 bytes (most likely contains the server’s certificate) and gets fragmented in 2 but I only get the last fragment. As a result, RouterOS can’t reassemble the packet and tries again sending the authentication request until the max retries is reached and is restarting the process (every about 24 seconds)

wireshark log on a successful connection:

107 3.248516    <mt_public_ip>  <vpn_server_ip> ISAKMP  458 IKE_AUTH MID=01 Initiator Request
114 3.330866    <vpn_server_ip> <mt_public_ip>  IPv4    1514    Fragmented IP protocol (proto=UDP 17, off=0, ID=69b3) [Reassembled in #115]
115 3.331053    <vpn_server_ip> <mt_public_ip>  IKE_AUTH MID=01 Responder Response

wireshark log on a failed connection attempt:

31  3.934743    <mt_public_ip>  <vpn_server_ip> ISAKMP  522 IKE_AUTH MID=01 Initiator Request
32  4.059967    <vpn_server_ip> <mt_public_ip>  IPv4    1506    Fragmented IP protocol (proto=UDP 17, off=1480, ID=36c7)
39  8.930363    <mt_public_ip>  <vpn_server_ip> ISAKMP  522 IKE_AUTH MID=01 Initiator Request
40  9.054702    <vpn_server_ip> <mt_public_ip>  IPv4    1506    Fragmented IP protocol (proto=UDP 17, off=1480, ID=38d1)

My conclusion is that the UDP fragment gets dropped from my ISP, since the same mikrotik router with the same configuration is able to establish a connection on another internet provider. Then the question is why my other devices connected to the same mikrotik (laptop, phone, etc) are able to establish an IKEv2 connection with my ISP provider? The only difference that I see in the logs is an additional payload sent by in the IKE_SA_INIT request named “IKEV2_FRAGMENTATION_SUPPORTED” which is an addon to the protocol to solve exactly the issue with IP fragmentation (RFC 7383).

wireshark log on a successful connection from my laptop:

81  4.689065    <laptop_private_ip>  <vpn_server_ip> ISAKMP  558 IKE_AUTH MID=01 Initiator Request
82  4.823807    <vpn_server_ip> <laptop_private_ip>  ISAKMP  1282    IKE_AUTH MID=01 Responder Response (fragment 1/3)
83  4.823810    <vpn_server_ip> <laptop_private_ip>  ISAKMP  1282    IKE_AUTH MID=01 Responder Response (fragment 2/3)
84  4.823811    <vpn_server_ip> <laptop_private_ip>  ISAKMP  658 IKE_AUTH MID=01 Responder Response (fragment 3/3)

Does RouterOS support this IKEv2 Fragmentation extension? If so how to enable it? And if not, is there anywhere in the roadmap?

+1 for this issue!
I have the same problem. One of my uplinks of a particular ipsec endpoint have a ip-fragments filter enabled and I use certificate authorization scheme that just doesn’t work there =(
strongswan and other black-box vendors have kind a “fragmentation=yes” that can split long IKE messages according to the MTU of outgoung interface. Are there any plans to implement this feature in ROS?

Same issue. Disgusting multiple NAT on satellite internet access, error 809 on windows clients (IKEv2 + RSA certificates)…
Can’t change provider, and experiments with MTU on client interfaces is very dangerous/impossible (they are 1500km away with sat access, so… :)) and i doubt it will help.
We can only hope that feature will be in ROS7, i think.

For the meantime, use EC certificates rather than RSA ones. They fit into a single packet. Currently they are not supported by SCEP, though.

Some progress…
Release 6.48beta48

*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);

I just hit the IKEv2 fragmentation issue running 6.47.8 on my vpn server. Using StrongSwan client on Android, but only with one particular mobile operator (3 UK).

Happy to say that switching to 6.48beta58 (with RFC7383 support) solved the problem for me.

Where can I enable fragmentation? Is there options for this or it is just implemented in the OS as default?

Thanks