Problem Radius over VPN
Michael Schwartzkopff
ms at sys4.de
Wed Apr 13 07:31:48 UTC 2022
On 13.04.22 09:24, Luca Bertoncello wrote:
> Hi list!
>
> I already reported in March my problems using Freeradius over VPN.
> I spent many time searching the problem, and maybe I found something, but I have no idea how to correct the problem...
>
> So, short explanation:
> Main office with Freeradius, connected via OpenVPN to our central VPN-Server.
> Second office with the AccessPoints, connected via OpenVPN to our central VPN.
> "Normal" pakets from second office to main office (and viceversa) go through both VPNs.
>
> Now, I sniffed the pakets on all servers (VPN server on second office, central VPN server, VPN server on main office and Freeradius), and I discovered that some pakets are blocked.
>
> Wireshark on VPN server of the second office:
>
> 12 2022-03-25 14:39:48,154608 10.0.21.10 10.6.21.10 RADIUS 979 Access-Challenge id=86
> 13 2022-03-25 14:39:48,476555 10.6.21.10 10.0.21.10 IPv4 1500 Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14 2022-03-25 14:39:48,507473 10.0.21.10 10.6.21.10 RADIUS 92 Access-Challenge id=87
> 15 2022-03-25 14:39:48,533183 10.6.21.10 10.0.21.10 IPv4 1500 Fragmented IP protocol (proto=UDP 17, off=0, ID=41c2)
> 16 2022-03-25 14:39:51,533406 10.6.21.10 10.0.21.10 IPv4 1500 Fragmented IP protocol (proto=UDP 17, off=0, ID=42d9)
>
> Wireshark on central VPN:
>
> 12 2022-03-25 14:39:48,129787 10.0.21.10 10.6.21.10 RADIUS 979 Access-Challenge id=86
> 13 2022-03-25 14:39:48,488993 10.6.21.10 10.0.21.10 IPv4 1500 Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14 2022-03-25 14:39:48,501213 10.0.21.10 10.6.21.10 RADIUS 92 Access-Challenge id=87
>
> No other pakets after paket 14 (ID 87) reach the central VPN serve, so the problem "must be" either on the central VPN server or on the VPN server oft he second office...
> Now the very question: do someone have an idea why just the first fragmented paket run over all VPNs and the other one do not?
>
> Thanks a lot
> Luca
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
a VPN tunnel adds some byte to the IP packet. If a packet is already
1500 byte it has to be fragmented. This is what happens here. Some
firewalls and VPN devices cannot deal with fragmentation correctly and
drop the packet. So it never reaches the other side and communication is
disrupted.
RADIUS especially has a problem with long certificates that exceed the
MTU limit of the network.
Please avoid network fragmentation or at least, configure path MTU
discovery. Best solution would be to configure fragmentation detection
within the VPN setup. IPsec with IKEv2 has the ability to detect the
MTU and the need to build smaller encrypted packets.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Freeradius-Users
mailing list