Project

General

Profile

Actions
Copy link

Feature #4688

open

Missing TFC Traffic Flow Confidentiality support

Added by Lars Pedersen over 9 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
05/08/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Got a IPSEC IKEv2 Tunnel up and running where a linux client connects to the pfsense 2.2.2 server. When connecting i got the following message:

received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

From the following RFC of an IPsec implementation, TFC should be implemented.

https://tools.ietf.org/html/rfc4303#page-17

From strongswan doc (ipsec.conf) TFC is defined by:

tfc = <value>

number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The special value %mtu fills up ESP packets with padding to have the size of the MTU.

By looking in freebsd release 10.1 (which is the one pfSense is running) it also looks like TFC should be supported.

https://www.freebsd.org/cgi/man.cgi?query=ipsec.conf&apropos=0&sektion=5&manpath=FreeBSD+Ports+10.1-RELEASE&arch=default&format=html

So it looks like TFC isn't supported in pfSense or the option is just missing in the webConfigurator even though it should be supported.

Actions
Copy link
 #1

Updated by Chris Buechler almost 9 years ago

  • Category set to IPsec
  • Assignee set to Chris Buechler
  • Priority changed from High to Normal
  • Target version set to 2.3

this should be a quick add and would be good to support, I'll take it.

Actions
Copy link
 #2

Updated by Chris Buechler almost 9 years ago

  • Status changed from New to Feedback

committed, needs testing beyond verifying the ipsec.conf is correct.

Actions
Copy link
 #3

Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to New
  • Assignee deleted (Chris Buechler)
  • Target version deleted (2.3)

I should have checked if FreeBSD actually had TFC support first. It doesn't, so I commented it out.

The GUI and backend works fine, just a matter of un-commenting it when FreeBSD has support.

Actions
Copy link
 #4

Updated by Sean McBride over 6 years ago

Did FreeBSD get TFC support in the last 2 years?

Actions
Copy link
 #5

Updated by Jim Pingle over 6 years ago

The IPsec stack in FreeBSD was overhauled between FreeBSD 10.x and FreeBSD 11.1, so it's possible that the behavior is different now. Needs someone to try it out and see if it works as expected when configured.

Actions
Copy link
 #6

Updated by Lars Pedersen over 6 years ago

Jim Pingle wrote:

The IPsec stack in FreeBSD was overhauled between FreeBSD 10.x and FreeBSD 11.1, so it's possible that the behavior is different now. Needs someone to try it out and see if it works as expected when configured.

Im still receiving an "received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding" to pfsense 2.4.3 with a linux client using strongswan 5.6.1

Actions
Copy link
 #7

Updated by Marcos M about 3 years ago

Note:
According to https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf this needs to be set on the child configuration.

I tested this on 22.01 and it is still not supported.

Actions
Copy link

Also available in: Atom PDF