Project

General

Profile

Actions
Copy link

Bug #9184

closed

TCP packet fragments over IPSEC ESP are not reassembled or forwarded

Added by Spiros Papageorgiou almost 6 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
12/09/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:

Description

Hi all,

I have an IPSEC VPN between PFsense and a Cisco ASA. The ASA does fragmentation before encryption (ASA command: crypto ipsec fragmentation before-encryption outside).
In case, where I have TCP fragments in ESP packets incoming to PFSense, I can see the packets going in PFsense-WAN as ESP traffic, but the TCP fragments are not reassembled or forwarded to the LAN interface. When I have ICMP fragments in ESP packets, PFsense reassembles the full ICMP packet and forwards it to the endhost.

Is this a bug or not? There is related issue https://redmine.pfsense.org/issues/7801 which is for UDP.

Let me also tell you that "fragmentation before encryption" seems to be the default ASA behaviour (which make the problem wider).

Thanx,
Spiros

Actions
Copy link
 #1

Updated by Jim Pingle over 5 years ago

  • Category set to IPsec
  • Status changed from New to Duplicate

Duplicate of #7801

Actions
Copy link

Also available in: Atom PDF