Problem Radius over VPN

Alan Buxey alan.buxey at gmail.com
Wed Apr 13 15:11:07 UTC 2022 

Allow fragmented UDP? (Much like people running RADIUS across WAN have to
do at perimeter firewalls)

alan

On Wed, 13 Apr 2022, 08:24 Luca Bertoncello, <L.Bertoncello at queo-group.com>
wrote:

> Hi list!
>
> I already reported in March my problems using Freeradius over VPN.
> I spent many time searching the problem, and maybe I found something, but
> I have no idea how to correct the problem...
>
> So, short explanation:
> Main office with Freeradius, connected via OpenVPN to our central
> VPN-Server.
> Second office with the AccessPoints, connected via OpenVPN to our central
> VPN.
> "Normal" pakets from second office to main office (and viceversa) go
> through both VPNs.
>
> Now, I sniffed the pakets on all servers (VPN server on second office,
> central VPN server, VPN server on main office and Freeradius), and I
> discovered that some pakets are blocked.
>
> Wireshark on VPN server of the second office:
>
> 12      2022-03-25 14:39:48,154608      10.0.21.10      10.6.21.10
> RADIUS  979     Access-Challenge id=86
> 13      2022-03-25 14:39:48,476555      10.6.21.10      10.0.21.10
> IPv4    1500    Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14      2022-03-25 14:39:48,507473      10.0.21.10      10.6.21.10
> RADIUS  92      Access-Challenge id=87
> 15      2022-03-25 14:39:48,533183      10.6.21.10      10.0.21.10
> IPv4    1500    Fragmented IP protocol (proto=UDP 17, off=0, ID=41c2)
> 16      2022-03-25 14:39:51,533406      10.6.21.10      10.0.21.10
> IPv4    1500    Fragmented IP protocol (proto=UDP 17, off=0, ID=42d9)
>
> Wireshark on central VPN:
>
> 12      2022-03-25 14:39:48,129787      10.0.21.10      10.6.21.10
> RADIUS  979     Access-Challenge id=86
> 13      2022-03-25 14:39:48,488993      10.6.21.10      10.0.21.10
> IPv4    1500    Fragmented IP protocol (proto=UDP 17, off=0, ID=41c1)
> 14      2022-03-25 14:39:48,501213      10.0.21.10      10.6.21.10
> RADIUS  92      Access-Challenge id=87
>
> No other pakets after paket 14 (ID 87) reach the central VPN serve, so the
> problem "must be" either on the central VPN server or on the VPN server oft
> he second office...
> Now the very question: do someone have an idea why just the first
> fragmented paket run over all VPNs and the other one do not?
>
> Thanks a lot
> Luca
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list