Feature #4688: Missing TFC Traffic Flow Confidentiality support - pfSense - pfSense bugtracker

Actions

Copy link

Feature #4688

open

Missing TFC Traffic Flow Confidentiality support

Added by Lars Pedersen over 9 years ago. Updated about 3 years ago.

Status:

New

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

Start date:

05/08/2015

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Description

Got a IPSEC IKEv2 Tunnel up and running where a linux client connects to the pfsense 2.2.2 server. When connecting i got the following message:

received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

From the following RFC of an IPsec implementation, TFC should be implemented.

https://tools.ietf.org/html/rfc4303#page-17

From strongswan doc (ipsec.conf) TFC is defined by:

tfc = <value>

number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The special value %mtu fills up ESP packets with padding to have the size of the MTU.

By looking in freebsd release 10.1 (which is the one pfSense is running) it also looks like TFC should be supported.

https://www.freebsd.org/cgi/man.cgi?query=ipsec.conf&apropos=0&sektion=5&manpath=FreeBSD+Ports+10.1-RELEASE&arch=default&format=html

So it looks like TFC isn't supported in pfSense or the option is just missing in the webConfigurator even though it should be supported.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #4688

Missing TFC Traffic Flow Confidentiality support

Updated by Chris Buechler almost 9 years ago

Updated by Chris Buechler almost 9 years ago

Updated by Chris Buechler almost 9 years ago

Updated by Sean McBride over 6 years ago

Updated by Jim Pingle over 6 years ago

Updated by Lars Pedersen over 6 years ago

Updated by Marcos M about 3 years ago