IKEv2 fragmentation support in ATP firewalls

dbastas

Hi everyone,

I have a weird problem setting up an IKEv2 VPN on a ATP firewall using a self signed certificate from the same ATP.
Some users from some places can connect to the IKEv2 VPN and some others from other places don't.
All client are using the same Windows build.
I think the problem have to do with the IKEv2 fragmentation on IKE Phase 1.
I captured packets during the creation of the tunnel and saw that the Windows client sent this payload on phase 1
Payload: Notify (41) - IKEV2_FRAGMENTATION_SUPPORTED
but the reply from the ATP did not send this.
So I would like to ask if the ATP firewall supports IKEv2 fragmentation during phase 1 and if so how to enable this functionality.

Zyxel_Tina

Hi @dbastas,

Welcome to Zyxel Community!

Unfortunately, Zyxel ATP firewalls do not support IKEv2 fragmentation.

To help us further investigate and better assist you, we kindly ask:

• Could you share a screenshot where you observed the Notify (41) - IKEV2_FRAGMENTATION_SUPPORTED payload from the Windows client, and the corresponding response from the ATP?

With this additional information, we’ll be in a better position to determine whether the problem is indeed related to IKEv2 fragmentation or if other factors are involved.

We appreciate your cooperation!

PeterUK

I'm not sure why you say you do not support IKEv2 fragmentation?

Here is a IKEv2 by Certificate between between VPN300 and FLEX200

Now on the FLEX200 H I think fragmentation is done by UDP with ports but older Zyxel models do fragmentation without ports which has a problem should between end points fragmentation by no ports are blocked.