Project

General

Profile

Bug #7005

IPsec mss clamping not working for mobile clients

Added by Lars Pedersen 7 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
12/12/2016
Due date:
% Done:

100%

Affected version:
All
Affected Architecture:
All

Description

Doesn't look that mss-clamping is working on a IPsec mobile client setup.

1) In IPSec -> Advanced Settings -> Enable Maximum MSS.

2) When setting the virtual address pool in "VPN->IPsec->Mobile Clients", the table called "vpn_networks" doesn't get defined (paste from status.php):


#System aliases

loopback = "{ lo0 }"
WAN = "{ igb0 }"
LAN = "{ igb1 }"
IPsec = "{ enc0 }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <negate_networks>

  1. User Aliases
  1. Gateways
    GWWAN_DHCP = " route-to ( igb0 172.20.19.1 ) "
    GWWAN_DHCP6 = " route-to ( igb0 172.20.19.1 ) "

set loginterface igb1

set skip on pfsync0

scrub from any to <vpn_networks> max-mss 1280
scrub from <vpn_networks> to any max-mss 1280
scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble
---------------------------------------------------------

The result is that the scrub rule wont have any effect, since its just an empty table. This issue is observed on both 2.2.6 and 2.3.2-p1.

Associated revisions

Revision d4ed1bd9
Added by Jim Pingle 7 months ago

Ensure that mobile IPsec client addresses are added to vpn_networks. Fixes #7005

Revision 93ab5b34
Added by Jim Pingle 7 months ago

Ensure that mobile IPsec client addresses are added to vpn_networks. Fixes #7005

History

#1 Updated by Jim Pingle 7 months ago

  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle
  • Target version set to 2.4.0
  • Affected version changed from 2.2.6 to All
  • Affected Architecture set to All

Confirmed. To me, I have a fix.

#2 Updated by Jim Pingle 7 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#3 Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved

Works

#4 Updated by Joe Tiedeman 6 months ago

Hi,

You've listed this as resolved in 2.4, what's the current timeframe for the release of 2.4? If it is some way off, what are the chances of this being backported to 2.3?

Many thanks

Joe

#5 Updated by Phillip Davis 6 months ago

That was backported to RELENG_2_3 in commit https://github.com/pfsense/pfsense/commit/93ab5b34e4e0b20baaf10fdd52119dd97d29ddad
so it would be fixed in 2.3.3-DEVELOPMENT snapshots.

#6 Updated by Jim Pingle 5 months ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF