IKEv2 fragmentation support in ATP firewalls

dbastas

Hi everyone,

I have a weird problem setting up an IKEv2 VPN on a ATP firewall using a self signed certificate from the same ATP.
Some users from some places can connect to the IKEv2 VPN and some others from other places don't.
All client are using the same Windows build.
I think the problem have to do with the IKEv2 fragmentation on IKE Phase 1.
I captured packets during the creation of the tunnel and saw that the Windows client sent this payload on phase 1
Payload: Notify (41) - IKEV2_FRAGMENTATION_SUPPORTED
but the reply from the ATP did not send this.
So I would like to ask if the ATP firewall supports IKEv2 fragmentation during phase 1 and if so how to enable this functionality.

Zyxel_Tina

Hi @dbastas,

Welcome to Zyxel Community!

Unfortunately, Zyxel ATP firewalls do not support IKEv2 fragmentation.

To help us further investigate and better assist you, we kindly ask:

• Could you share a screenshot where you observed the Notify (41) - IKEV2_FRAGMENTATION_SUPPORTED payload from the Windows client, and the corresponding response from the ATP?

With this additional information, we’ll be in a better position to determine whether the problem is indeed related to IKEv2 fragmentation or if other factors are involved.

We appreciate your cooperation!

PeterUK

I'm not sure why you say you do not support IKEv2 fragmentation?

Here is a IKEv2 by Certificate between between VPN300 and FLEX200

Now on the FLEX200 H I think fragmentation is done by UDP with ports but older Zyxel models do fragmentation without ports which has a problem should between end points fragmentation by no ports are blocked.

dbastas

Hi all,

To clear any misunderstandings, when I say IKEv2 fragmentation I am talking about RFC 7383 (https://datatracker.ietf.org/doc/html/rfc7383)
This screenshot (frame 5) is the IKE_SA_INIT packet from Windows client towards the ATP firewall

This screenshot (frame 6) is firewall's reply to IKE_SA_INIT packet from ATP firewall towards the Windows client

We clearly observe the lack of payload IKEV2_FRAGMENTATION_SUPPORTED from firewall reply

Zyxel_Tina

Hi @dbastas and @PeterUK,

After double checking, our firewall does not support IKEv2 fragmentation. However, this lack of support does not affect the overall VPN functionality. Therefore, it is expected that you do not see the IKEv2_fragmentation_supported notification payload in the packets from the ATP towards the Windows client.

Regarding the Fragmented IP protocol packets captured by @PeterUK, these do not indicate support for fragmentation. For a true indication of IKEv2 fragmentation support, please refer to the information on page 11 of RFC 7383.

dbastas

Hi all,

In fact there is a problem if the VPN server (in this case the ATP firewall) does not support RFC 7383.
In that case some times the windows client connects to the VPN server and some times does not, with the error message 'Error code 809'
During IKEv2 connection establishment, payload sizes may exceed the IP Maximum Transmission Unit (MTU) for the network path between the client and server. This causes the IP packets to be fragmented. However, it is not uncommon for intermediary devices (routers, NAT devices, or firewalls) to block IP fragments. When this occurs, a VPN connection cannot be established.
IKEv2 fragmentation was introduced in Windows 10 1803 and is enabled by default. No client-side configuration is required.
In my case the same laptop with the exact same configuration connects to the IKEv2 VPN from one location but not from another location.