Dropped ipsec / fragmented UDP packets
-
Hey folks,
I am having a strange issue with ipsec. We are using pfsense 2.4.5 release (for years) and it works like a charm. We are using ipsec links with some peers to encrypt voip sip signaling. This worked like a charm, too.
I can see incoming ipsec traffic, can see the decoded traffic on enc0 and also the leaving traffic on the downlink. This all works well.
Now, we are getting more and more fragmented sip packages (split in 3 packages), correctly flagged (more fragments = 1). I can see the incoming ipsec traffic, can see the decoded traffic on enc0 but nothing on the downlink. After crunching this issue for quite a while I found out that the combination of ipsec, fragmented udp makes pfsense drop the packages, not reassembling them.
If I disable firewall scrubbing on the firewall, it works again -- but then other problems arise. Enabling scrubbing (default) and setting clear DF yields no other result.
What I need is to disable scrubbing on enc0/ipsec only, while keeping all the remaining interfaces scrubbed. Or any other solution. I also found several topic on the net regarding similar issues but with so far no solutions. Most of those topics are years old, tho.
If anyone can shed some light on the issue,
or even supply a solution,
that would be greatly appreciated.-Chris.
-
@creiss I appear to be having the same issue with VOIP traffic dropping calls after 32 seconds on multiple tunnels between different pfsense boxes. Did you figure out a solution?
-
@jonathanp123
Your issue is due to Firewall closing ports, most likely due to STUN turned on. Try turning off STUN and it should work. -
@creiss https://redmine.pfsense.org/issues/7801
Like that?
-
@derelict Yes that. Fix it :)
-
@creiss IANAP.
-
@derelict Someone is, however :)