Bug #9184: TCP packet fragments over IPSEC ESP are not reassembled or forwarded - pfSense - pfSense bugtracker

Actions

Copy link

Bug #9184

closed

TCP packet fragments over IPSEC ESP are not reassembled or forwarded

Added by Spiros Papageorgiou over 5 years ago. Updated over 4 years ago.

Status:

Duplicate

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

Start date:

12/09/2018

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.4.4

Affected Architecture:

Description

Hi all,

I have an IPSEC VPN between PFsense and a Cisco ASA. The ASA does fragmentation before encryption (ASA command: crypto ipsec fragmentation before-encryption outside).
In case, where I have TCP fragments in ESP packets incoming to PFSense, I can see the packets going in PFsense-WAN as ESP traffic, but the TCP fragments are not reassembled or forwarded to the LAN interface. When I have ICMP fragments in ESP packets, PFsense reassembles the full ICMP packet and forwards it to the endhost.

Is this a bug or not? There is related issue https://redmine.pfsense.org/issues/7801 which is for UDP.

Let me also tell you that "fragmentation before encryption" seems to be the default ASA behaviour (which make the problem wider).

Thanx,
Spiros

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #9184

TCP packet fragments over IPSEC ESP are not reassembled or forwarded

Updated by Jim Pingle over 4 years ago