AW: Problem Radius over VPN

Luca Bertoncello L.Bertoncello at queo-group.com
Wed Apr 13 13:23:26 UTC 2022 

Hi Alan,

I didn't changed the fragment_size, but I tried to reduce it and set it to 800.
Unfortunately no changes in the situation...

Thanks
Luca

-----Ursprüngliche Nachricht-----
Von: Freeradius-Users <freeradius-users-bounces+l.bertoncello=queo-group.com at lists.freeradius.org> Im Auftrag von Alan DeKok
Gesendet: Mittwoch, 13. April 2022 14:05
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: Problem Radius over VPN

On Apr 13, 2022, at 3:24 AM, Luca Bertoncello <L.Bertoncello at queo-group.com> wrote:
> 
> I already reported in March my problems using Freeradius over VPN.
> I spent many time searching the problem, and maybe I found something, but I have no idea how to correct the problem...
> 
> So, short explanation:
> Main office with Freeradius, connected via OpenVPN to our central VPN-Server.
> Second office with the AccessPoints, connected via OpenVPN to our central VPN.
> "Normal" pakets from second office to main office (and viceversa) go through both VPNs.
> 
> Now, I sniffed the pakets on all servers (VPN server on second office, central VPN server, VPN server on main office and Freeradius), and I discovered that some pakets are blocked.
> 
> Wireshark on VPN server of the second office:
> 
> 12	2022-03-25 14:39:48,154608	10.0.21.10	10.6.21.10	RADIUS	979	Access-Challenge id=86
> 13	2022-03-25 14:39:48,476555	10.6.21.10	10.0.21.10	IPv4	1500	Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14	2022-03-25 14:39:48,507473	10.0.21.10	10.6.21.10	RADIUS	92	Access-Challenge id=87
> 15	2022-03-25 14:39:48,533183	10.6.21.10	10.0.21.10	IPv4	1500	Fragmented IP protocol (proto=UDP 17, off=0, ID=41c2)
> 16	2022-03-25 14:39:51,533406	10.6.21.10	10.0.21.10	IPv4	1500	Fragmented IP protocol (proto=UDP 17, off=0, ID=42d9)

   See mods-enabled/eap, "fragment_size"

  Set the fragment size to a smaller value, and the server will produce smaller packets.

  But... the default fragment_size is 1020.  So if the server is producing Access-Challenge packets which are much larger than that, then something is wrong.  Are you sure you didn't *increase* the fragment size?

> No other pakets after paket 14 (ID 87) reach the central VPN serve, so the problem "must be" either on the central VPN server or on the VPN server oft he second office...
> Now the very question: do someone have an idea why just the first fragmented paket run over all VPNs and the other one do not?

  IPv4 packet fragmentation generally doesn't work outside of a LAN.

  Fix the RADIUS configuration so that it produces smaller packets.  That's why the EAP module has a "fragment_size" setting.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list