Project

General

Profile

Bug #9175

pfsense does not send out IPv6 UDP fragments for packets created local

Added by Andi Admin 7 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
12/06/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4_1
Affected Architecture:

Description

When using Strongswan as VPN Endpoint on pfsense with IPSEC sometimes "oversized" UDP packets are created in the IKE handshake if the remote does not support IKE Fragmentation. With IPv4 the "oversized" UDP packet is split (fragmented) and send out as it should, with IPv6 such packets are dropped. Attached are a dump on the WAN interface where Strongswan is bound to with IPv4 working and IPv6 missing the oversized packets.

Hints:

The oversized packets are created because of certificates/key lenght when used with EAP-TLS

IPv6 fragments created at the source is a valid use case, only routers are not allowed to fragment with IPv6

This problem does affect all Windows clients up to Windows 10/1803 if IPv6 should be used, later releases are able to do IKEv2 Fragmentation and avoid this problem

Also available in: Atom PDF