How to enable Traffic Flow Confidentiality (TFC)
-
Got a IPSEC IKEv2 Tunnel up and running where a linux client connects to the pfsense 2.2.2 server. When connecting i got the following message:
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
From the following RFC of an IPsec implementation, TFC should be implemented.
https://tools.ietf.org/html/rfc4303#page-17
From strongswan doc (ipsec.conf) TFC is defined by:
tfc = <value>number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The special value %mtu fills up ESP packets with padding to have the size of the MTU.</value>
So is it true that TFC isn't supported in pfSense? Or is the option just missing in the webConfigurator?
Best Regards
Lars Pedersen -
bump..
120+ views but noone with any feedback :/
Getting TFC to work with pfsense would be a nice feature for me since it prevents statistical traffic analysis attacks.
I have directed the issue to freebsd's mailing list since it seems like it needs to be implemented in the kernel.
So iam not giving up yet :)
-
If you edit the ipsec code to add the line into strongSwan.conf, does it work? If so, then it's just missing from the GUI. Feel free to open a feature request on https://redmine.pfsense.org
-
Hi jimp. Thanks for the response.
Tried that a few days ago and it doesn't work either :/ I have checked the freebsd trunk out and can see that the last changes to the source code for IPsec and ESP is from 2000/2001 and the RFC that describes TFC is from 2005.
So i guess some development in freebsd is needed to make this work.