Missing TFC Traffic Flow Confidentiality support
Got a IPSEC IKEv2 Tunnel up and running where a linux client connects to the pfsense 2.2.2 server. When connecting i got the following message:
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
From the following RFC of an IPsec implementation, TFC should be implemented.
From strongswan doc (ipsec.conf) TFC is defined by:
tfc = <value>
number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The special value %mtu fills up ESP packets with padding to have the size of the MTU.
By looking in freebsd release 10.1 (which is the one pfSense is running) it also looks like TFC should be supported.
So it looks like TFC isn't supported in pfSense or the option is just missing in the webConfigurator even though it should be supported.
Updated by Chris Buechler almost 6 years ago
- Status changed from Feedback to New
- Assignee deleted (
- Target version deleted (
I should have checked if FreeBSD actually had TFC support first. It doesn't, so I commented it out.
The GUI and backend works fine, just a matter of un-commenting it when FreeBSD has support.
Updated by Lars Pedersen almost 4 years ago
Jim Pingle wrote:
The IPsec stack in FreeBSD was overhauled between FreeBSD 10.x and FreeBSD 11.1, so it's possible that the behavior is different now. Needs someone to try it out and see if it works as expected when configured.
Im still receiving an "received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding" to pfsense 2.4.3 with a linux client using strongswan 5.6.1
Updated by Marcos Mendoza 2 months ago
According to https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf this needs to be set on the child configuration.
I tested this on 22.01 and it is still not supported.