Project

General

Profile

Actions

Bug #7837

closed

fragmented packets not reassembled over IPSec tunnel

Added by Florian Apolloner about 7 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
09/03/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.4_1
Affected Architecture:
amd64

Description

I am trying to ping a machine over an ipsec tunnel:

ping -s 1371 10.255.3.1

If I reduce the size by 1 everything works fine, if not I get the following tcpdump from the pfsense machine:

13:40:36.610128 (authentic,confidential): SPI 0x8b2f68b1: IP 172.22.1.12 > 10.255.3.1: ICMP echo request, id 15512, seq 11, length 1379
13:40:36.630910 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ICMP echo reply, id 15512, seq 11, length 1376
13:40:36.631000 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ip-proto-1

(The ip missmatch is caused by NAT from 172.22.1.0/24 to 10.254.3.0/24). Line 1 shows the outgoing icmp request. Line 2 & 3 show an answer from 10.255.3.1 to 10.254.3.12 (which is the natted address of the source ip 10.255.3.1). As you can see the reply is fragmented and the filter logs show:

Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,0,+,1,icmp,1396,10.255.3.1,10.254.3.12,reply,15512,531376
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,1376,none,1,icmp,23,10.255.3.1,10.254.3.12,

I was under the impression that pfsense would reassemble incoming traffic?

Actions

Also available in: Atom PDF