Project

General

Profile

Actions

Bug #9184

closed

TCP packet fragments over IPSEC ESP are not reassembled or forwarded

Added by Spiros Papageorgiou about 6 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
12/09/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:

Description

Hi all,

I have an IPSEC VPN between PFsense and a Cisco ASA. The ASA does fragmentation before encryption (ASA command: crypto ipsec fragmentation before-encryption outside).
In case, where I have TCP fragments in ESP packets incoming to PFSense, I can see the packets going in PFsense-WAN as ESP traffic, but the TCP fragments are not reassembled or forwarded to the LAN interface. When I have ICMP fragments in ESP packets, PFsense reassembles the full ICMP packet and forwards it to the endhost.

Is this a bug or not? There is related issue https://redmine.pfsense.org/issues/7801 which is for UDP.

Let me also tell you that "fragmentation before encryption" seems to be the default ASA behaviour (which make the problem wider).

Thanx,
Spiros

Actions #1

Updated by Jim Pingle over 5 years ago

  • Category set to IPsec
  • Status changed from New to Duplicate

Duplicate of #7801

Actions

Also available in: Atom PDF