Problem Radius over VPN

Michael Schwartzkopff ms at sys4.de
Wed Apr 13 07:31:48 UTC 2022


On 13.04.22 09:24, Luca Bertoncello wrote:
> Hi list!
>
> I already reported in March my problems using Freeradius over VPN.
> I spent many time searching the problem, and maybe I found something, but I have no idea how to correct the problem...
>
> So, short explanation:
> Main office with Freeradius, connected via OpenVPN to our central VPN-Server.
> Second office with the AccessPoints, connected via OpenVPN to our central VPN.
> "Normal" pakets from second office to main office (and viceversa) go through both VPNs.
>
> Now, I sniffed the pakets on all servers (VPN server on second office, central VPN server, VPN server on main office and Freeradius), and I discovered that some pakets are blocked.
>
> Wireshark on VPN server of the second office:
>
> 12	2022-03-25 14:39:48,154608	10.0.21.10	10.6.21.10	RADIUS	979	Access-Challenge id=86
> 13	2022-03-25 14:39:48,476555	10.6.21.10	10.0.21.10	IPv4	1500	Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14	2022-03-25 14:39:48,507473	10.0.21.10	10.6.21.10	RADIUS	92	Access-Challenge id=87
> 15	2022-03-25 14:39:48,533183	10.6.21.10	10.0.21.10	IPv4	1500	Fragmented IP protocol (proto=UDP 17, off=0, ID=41c2)
> 16	2022-03-25 14:39:51,533406	10.6.21.10	10.0.21.10	IPv4	1500	Fragmented IP protocol (proto=UDP 17, off=0, ID=42d9)
>
> Wireshark on central VPN:
>
> 12	2022-03-25 14:39:48,129787	10.0.21.10	10.6.21.10	RADIUS	979	Access-Challenge id=86
> 13	2022-03-25 14:39:48,488993	10.6.21.10	10.0.21.10	IPv4	1500	Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14	2022-03-25 14:39:48,501213	10.0.21.10	10.6.21.10	RADIUS	92	Access-Challenge id=87
>
> No other pakets after paket 14 (ID 87) reach the central VPN serve, so the problem "must be" either on the central VPN server or on the VPN server oft he second office...
> Now the very question: do someone have an idea why just the first fragmented paket run over all VPNs and the other one do not?
>
> Thanks a lot
> Luca
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



hi,


a VPN tunnel adds some byte to the IP packet. If a packet is already 
1500 byte it has to be fragmented. This is what happens here. Some 
firewalls and VPN devices cannot deal with fragmentation correctly and 
drop the packet. So it never reaches the other side and communication is 
disrupted.


RADIUS especially has a problem with long certificates that exceed the 
MTU limit of the network.


Please avoid network fragmentation or at least, configure path MTU 
discovery. Best solution would be to configure fragmentation detection 
within the  VPN setup. IPsec with IKEv2 has the ability to detect the 
MTU and the need to build smaller encrypted packets.



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Freeradius-Users mailing list