Bug #7005
closedIPsec mss clamping not working for mobile clients
100%
Description
Doesn't look that mss-clamping is working on a IPsec mobile client setup.
1) In IPSec -> Advanced Settings -> Enable Maximum MSS.
2) When setting the virtual address pool in "VPN->IPsec->Mobile Clients", the table called "vpn_networks" doesn't get defined (paste from status.php):
#System aliases
loopback = "{ lo0 }"
WAN = "{ igb0 }"
LAN = "{ igb1 }"
IPsec = "{ enc0 }"
#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <negate_networks>
- User Aliases
- Gateways
GWWAN_DHCP = " route-to ( igb0 172.20.19.1 ) "
GWWAN_DHCP6 = " route-to ( igb0 172.20.19.1 ) "
set loginterface igb1
set skip on pfsync0
scrub from any to <vpn_networks> max-mss 1280
scrub from <vpn_networks> to any max-mss 1280
scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble
---------------------------------------------------------
The result is that the scrub rule wont have any effect, since its just an empty table. This issue is observed on both 2.2.6 and 2.3.2-p1.
Updated by Jim Pingle about 8 years ago
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
- Target version set to 2.4.0
- Affected Version changed from 2.2.6 to All
- Affected Architecture All added
- Affected Architecture deleted (
)
Confirmed. To me, I have a fix.
Updated by Jim Pingle about 8 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset d4ed1bd9a86a23ff3d4baed97db32eb90cd21947.
Updated by Joe Tiedeman almost 8 years ago
Hi,
You've listed this as resolved in 2.4, what's the current timeframe for the release of 2.4? If it is some way off, what are the chances of this being backported to 2.3?
Many thanks
Joe
Updated by Phillip Davis almost 8 years ago
That was backported to RELENG_2_3 in commit https://github.com/pfsense/pfsense/commit/93ab5b34e4e0b20baaf10fdd52119dd97d29ddad
so it would be fixed in 2.3.3-DEVELOPMENT snapshots.
Updated by Jim Pingle almost 8 years ago
- Target version changed from 2.4.0 to 2.3.3