Project

General

Profile

Actions
Copy link

Bug #9175

closed

pfsense does not send out IPv6 UDP fragments for packets created local

Added by Andi Admin over 5 years ago. Updated over 4 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
12/06/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4_1
Affected Architecture:

Description

When using Strongswan as VPN Endpoint on pfsense with IPSEC sometimes "oversized" UDP packets are created in the IKE handshake if the remote does not support IKE Fragmentation. With IPv4 the "oversized" UDP packet is split (fragmented) and send out as it should, with IPv6 such packets are dropped. Attached are a dump on the WAN interface where Strongswan is bound to with IPv4 working and IPv6 missing the oversized packets.

Hints:

The oversized packets are created because of certificates/key lenght when used with EAP-TLS

IPv6 fragments created at the source is a valid use case, only routers are not allowed to fragment with IPv6

This problem does affect all Windows clients up to Windows 10/1803 if IPv6 should be used, later releases are able to do IKEv2 Fragmentation and avoid this problem

Files

Download all files
packetcapture-w7-ipv6-non-working-filter2.cap (3.88 KB) packetcapture-w7-ipv6-non-working-filter2.cap Andi Admin, 12/06/2018 09:39 AM
packetcapture-w7-ipv4-working-filter.cap (44.3 KB) packetcapture-w7-ipv4-working-filter.cap Andi Admin, 12/06/2018 09:40 AM
Actions
Copy link
 #1

Updated by Andi Admin over 5 years ago

Can anyone comment on how to proceed or what might be needed to reproduce?

Actions
Copy link
 #2

Updated by Jim Pingle over 4 years ago

  • Category set to IPsec
  • Status changed from New to Duplicate

Duplicate of #7801

Actions
Copy link

Also available in: Atom PDF