Support IKEv2 fragmentation via UI

[snowsnoot]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [Y] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [Y] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is including your motivation for the request,
i.e. "For the purpose of [...] I am missing a solution that will [...]."

Opnsense currently uses Strongswan as it's IKEv2 VPN provider, which supports the IKEv2 fragmentation feature (RFC 7383) via the 'fragmentation = yes' configuration directive in swanctl.conf, however this is not implemented in the UI. IKEv2 fragmentation is an important feature to overcome MTU issues caused by additional ESP encapsulation overheads when using IPSec.

Describe the solution you like

A clear and concise description of what you want to happen.
(e.g. I would like an input field in the /ui/firewall/alias which would add .... to ....)

Implement the Strongswan IKEv2 fragmentation feature in the UI. Currently fragmentation is working if we add "fragmentation = yes" to the connection properties in /usr/local/etc/swanctl/swanctl.conf but it is overwritten on upgrade and if the connection properties are changed from the UI.

Describe alternatives you considered

A clear and concise description of any alternative solutions or features you considered.

Manual configuration, via cronjob etc to keep the configuration persistent.

Additional context

Add any other context or screenshots about the feature request here or links to relevant forum thread or similar

[AdSchellevis]

you are aware the default is "yes"? (https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html)

[snowsnoot]

Actually no, I was not aware, so thanks for pointing this out. However, a) it does not work for me unless explicitly enabled (perhaps an upstream issue?) and b) it may still be beneficial to be able to toggle the feature on/off depending on the use case?

[AdSchellevis]

I'm not sure it's worth the effort as I have never heard anyone asking to disable it. when it's an upstream issue, best check the bug tracker at strongswan.

[snowsnoot]

Is there any workaround possible from an Opnsense perspective to have this configuration made persistent?

[AdSchellevis]

manually define a configuration (see our documentation for details)? I highly doubt the defaults are not being persisted, but as said, upstream bugs are best searched upstream.

[snowsnoot]

Agreed that upstream issues are better handled.. upstream. This is a feature request issue, if you don't want to implement it, then feel free to close the issue.

[AdSchellevis]

My point is, the feature already exists, it's enabled by default, which was the request, which makes it likely there is another issue (in which case implementation is rather pointless).

[snowsnoot]

Perhaps my request wasn't clear. Now that I know this feature is enabled by default, as I mentioned above, the feature request would be to enable toggling of the fragmentation on or off. Even though it is enabled by default, it may be beneficial to turn it off depending on the use case.

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.