Fragmented reply ICMP packages not reassembled

IPsec
Log in to reply
  • A

    I am trying to ping a machine over an ipsec tunnel:

    ping -s 1371 10.255.3.1

    If I reduce the size by 1 everything works fine, if not I get the following answers:

    
13:40:36.610128 (authentic,confidential): SPI 0x8b2f68b1: IP 172.22.1.12 > 10.255.3.1: ICMP echo request, id 15512, seq 11, length 1379
13:40:36.630910 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ICMP echo reply, id 15512, seq 11, length 1376
13:40:36.631000 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ip-proto-1

    (The ip missmatch is caused by NAT from 172.22.1.0/24 to 10.254.3.0/24)

    As you can see the reply is fragmented and the filter logs show:

    
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,0,+,1,icmp,1396,10.255.3.1,10.254.3.12,reply,15512,531376
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,1376,none,1,icmp,23,10.255.3.1,10.254.3.12,

    Any ideas why pfsense would not reassemble the packets and if there is anything I can do to fix that? Version is 2.3.4-RELEASE-p1

    Thanks,
    Florian

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy