Project

General

Profile

Actions

Bug #7005

closed

IPsec mss clamping not working for mobile clients

Added by Lars Pedersen almost 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
12/12/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Doesn't look that mss-clamping is working on a IPsec mobile client setup.

1) In IPSec -> Advanced Settings -> Enable Maximum MSS.

2) When setting the virtual address pool in "VPN->IPsec->Mobile Clients", the table called "vpn_networks" doesn't get defined (paste from status.php):


#System aliases

loopback = "{ lo0 }"
WAN = "{ igb0 }"
LAN = "{ igb1 }"
IPsec = "{ enc0 }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <negate_networks>

  1. User Aliases
  1. Gateways
    GWWAN_DHCP = " route-to ( igb0 172.20.19.1 ) "
    GWWAN_DHCP6 = " route-to ( igb0 172.20.19.1 ) "

set loginterface igb1

set skip on pfsync0

scrub from any to <vpn_networks> max-mss 1280
scrub from <vpn_networks> to any max-mss 1280
scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble
---------------------------------------------------------

The result is that the scrub rule wont have any effect, since its just an empty table. This issue is observed on both 2.2.6 and 2.3.2-p1.

Actions #1

Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle
  • Target version set to 2.4.0
  • Affected Version changed from 2.2.6 to All
  • Affected Architecture All added
  • Affected Architecture deleted ()

Confirmed. To me, I have a fix.

Actions #2

Updated by Jim Pingle almost 8 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Resolved

Works

Actions #4

Updated by Joe Tiedeman almost 8 years ago

Hi,

You've listed this as resolved in 2.4, what's the current timeframe for the release of 2.4? If it is some way off, what are the chances of this being backported to 2.3?

Many thanks

Joe

Actions #5

Updated by Phillip Davis almost 8 years ago

That was backported to RELENG_2_3 in commit https://github.com/pfsense/pfsense/commit/93ab5b34e4e0b20baaf10fdd52119dd97d29ddad
so it would be fixed in 2.3.3-DEVELOPMENT snapshots.

Actions #6

Updated by Jim Pingle almost 8 years ago

  • Target version changed from 2.4.0 to 2.3.3
Actions

Also available in: Atom PDF