Bug #9175
closedpfsense does not send out IPv6 UDP fragments for packets created local
0%
Description
When using Strongswan as VPN Endpoint on pfsense with IPSEC sometimes "oversized" UDP packets are created in the IKE handshake if the remote does not support IKE Fragmentation. With IPv4 the "oversized" UDP packet is split (fragmented) and send out as it should, with IPv6 such packets are dropped. Attached are a dump on the WAN interface where Strongswan is bound to with IPv4 working and IPv6 missing the oversized packets.
Hints:
The oversized packets are created because of certificates/key lenght when used with EAP-TLS
IPv6 fragments created at the source is a valid use case, only routers are not allowed to fragment with IPv6
This problem does affect all Windows clients up to Windows 10/1803 if IPv6 should be used, later releases are able to do IKEv2 Fragmentation and avoid this problem
Files