Project

General

Profile

Actions

Bug #7005

closed

IPsec mss clamping not working for mobile clients

Added by Lars Pedersen almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
12/12/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Doesn't look that mss-clamping is working on a IPsec mobile client setup.

1) In IPSec -> Advanced Settings -> Enable Maximum MSS.

2) When setting the virtual address pool in "VPN->IPsec->Mobile Clients", the table called "vpn_networks" doesn't get defined (paste from status.php):


#System aliases

loopback = "{ lo0 }"
WAN = "{ igb0 }"
LAN = "{ igb1 }"
IPsec = "{ enc0 }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <negate_networks>

  1. User Aliases
  1. Gateways
    GWWAN_DHCP = " route-to ( igb0 172.20.19.1 ) "
    GWWAN_DHCP6 = " route-to ( igb0 172.20.19.1 ) "

set loginterface igb1

set skip on pfsync0

scrub from any to <vpn_networks> max-mss 1280
scrub from <vpn_networks> to any max-mss 1280
scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble
---------------------------------------------------------

The result is that the scrub rule wont have any effect, since its just an empty table. This issue is observed on both 2.2.6 and 2.3.2-p1.

Actions

Also available in: Atom PDF