AW: Problem Radius over VPN
L.Bertoncello at queo-group.com
Wed Apr 13 13:23:26 UTC 2022
I didn't changed the fragment_size, but I tried to reduce it and set it to 800.
Unfortunately no changes in the situation...
Von: Freeradius-Users <freeradius-users-bounces+l.bertoncello=queo-group.com at lists.freeradius.org> Im Auftrag von Alan DeKok
Gesendet: Mittwoch, 13. April 2022 14:05
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: Problem Radius over VPN
On Apr 13, 2022, at 3:24 AM, Luca Bertoncello <L.Bertoncello at queo-group.com> wrote:
> I already reported in March my problems using Freeradius over VPN.
> I spent many time searching the problem, and maybe I found something, but I have no idea how to correct the problem...
> So, short explanation:
> Main office with Freeradius, connected via OpenVPN to our central VPN-Server.
> Second office with the AccessPoints, connected via OpenVPN to our central VPN.
> "Normal" pakets from second office to main office (and viceversa) go through both VPNs.
> Now, I sniffed the pakets on all servers (VPN server on second office, central VPN server, VPN server on main office and Freeradius), and I discovered that some pakets are blocked.
> Wireshark on VPN server of the second office:
> 12 2022-03-25 14:39:48,154608 10.0.21.10 10.6.21.10 RADIUS 979 Access-Challenge id=86
> 13 2022-03-25 14:39:48,476555 10.6.21.10 10.0.21.10 IPv4 1500 Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14 2022-03-25 14:39:48,507473 10.0.21.10 10.6.21.10 RADIUS 92 Access-Challenge id=87
> 15 2022-03-25 14:39:48,533183 10.6.21.10 10.0.21.10 IPv4 1500 Fragmented IP protocol (proto=UDP 17, off=0, ID=41c2)
> 16 2022-03-25 14:39:51,533406 10.6.21.10 10.0.21.10 IPv4 1500 Fragmented IP protocol (proto=UDP 17, off=0, ID=42d9)
See mods-enabled/eap, "fragment_size"
Set the fragment size to a smaller value, and the server will produce smaller packets.
But... the default fragment_size is 1020. So if the server is producing Access-Challenge packets which are much larger than that, then something is wrong. Are you sure you didn't *increase* the fragment size?
> No other pakets after paket 14 (ID 87) reach the central VPN serve, so the problem "must be" either on the central VPN server or on the VPN server oft he second office...
> Now the very question: do someone have an idea why just the first fragmented paket run over all VPNs and the other one do not?
IPv4 packet fragmentation generally doesn't work outside of a LAN.
Fix the RADIUS configuration so that it produces smaller packets. That's why the EAP module has a "fragment_size" setting.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users