Actions
Bug #7837
closedfragmented packets not reassembled over IPSec tunnel
Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
09/03/2017
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.4_1
Affected Architecture:
amd64
Description
I am trying to ping a machine over an ipsec tunnel:
ping -s 1371 10.255.3.1
If I reduce the size by 1 everything works fine, if not I get the following tcpdump from the pfsense machine:
13:40:36.610128 (authentic,confidential): SPI 0x8b2f68b1: IP 172.22.1.12 > 10.255.3.1: ICMP echo request, id 15512, seq 11, length 1379 13:40:36.630910 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ICMP echo reply, id 15512, seq 11, length 1376 13:40:36.631000 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ip-proto-1
(The ip missmatch is caused by NAT from 172.22.1.0/24 to 10.254.3.0/24). Line 1 shows the outgoing icmp request. Line 2 & 3 show an answer from 10.255.3.1 to 10.254.3.12 (which is the natted address of the source ip 10.255.3.1). As you can see the reply is fragmented and the filter logs show:
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,0,+,1,icmp,1396,10.255.3.1,10.254.3.12,reply,15512,531376 Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,1376,none,1,icmp,23,10.255.3.1,10.254.3.12,
I was under the impression that pfsense would reassemble incoming traffic?
Actions