[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] eap-radius MTU problem?
From: "Frank H.Y. Wang" <gladandong () gmail ! com>
Date: 2016-08-19 11:22:20
Message-ID: np6q5b$p4f$1 () blaine ! gmane ! org
[Download RAW message or body]
Hi,
I am using eap-radius doing EAP-TLS with freeRADIUS . I think I ran into
an MTU related issue.
Aug 19 10:35:49 node01 charon: 11[CFG] sending RADIUS Access-Request to
server '10.254.1.251'
Aug 19 10:35:49 node01 charon: 11[CFG] => 1535 bytes @ 0x7fbfd40066b0
Aug 19 10:35:49 node01 charon: 11[CFG] 0: 01 5A 05 FF C8 9F E5 4E 0D
DA 2C F0 FA 5A A1 7F .Z.....N..,..Z..
...
Aug 19 10:35:49 node01 charon: 11[CFG] 1504: C5 DB 3B E5 31 DD F9 04 DF
0F 3B CD FB 50 12 1D ..;.1.....;..P..
Aug 19 10:35:49 node01 charon: 11[CFG] 1520: F9 1D 73 68 D6 7D 69 61 41
20 6F 74 84 75 C8 ..sh.}iaA ot.u.
Aug 19 10:35:50 node01 charon: 13[MGR] ignoring request with ID 6,
already processing
Aug 19 10:35:51 node01 charon: 11[CFG] retransmit 1 of RADIUS
Access-Request (timeout: 2.8s)
Aug 19 10:35:51 node01 charon: 12[MGR] ignoring request with ID 6,
already processing
Aug 19 10:35:54 node01 charon: 11[CFG] retransmit 2 of RADIUS
Access-Request (timeout: 3.9s)
Aug 19 10:35:54 node01 charon: 10[MGR] ignoring request with ID 6,
already processing
Aug 19 10:35:57 node01 charon: 11[CFG] retransmit 3 of RADIUS
Access-Request (timeout: 5.5s)
Aug 19 10:36:01 node01 charon: 04[MGR] ignoring request with ID 6,
already processing
Aug 19 10:36:03 node01 charon: 11[CFG] RADIUS Access-Request timed out
after 4 attempts
Aug 19 10:36:03 node01 charon: 11[IKE] EAP method EAP_TLS failed for
peer 10.1.1.172
Aug 19 10:36:03 node01 charon: 11[ENC] generating IKE_AUTH response 6 [
EAP/FAIL ]
Aug 19 10:36:03 node01 charon: 11[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (80 bytes)
Aug 19 10:36:03 node01 charon: 11[IKE] IKE_SA road-warriors-ikev2[29]
state change: CONNECTING => DESTROYING)"
The MTU between strongSwan and freeRADIUS is 1460, while eap-radius is
trying to send packets of 1535 bytes.
I am using RSA certificates with 2048 bits keys. The only client having
this problem is Windows, both MacOS and iOS works fine.
Also tried ECDSA which works because the certificates are much smaller.
while since I have to support Windows 7 which doesn't support ECDSA
client certificate, so that's not an option.
So the questions are:
1. Why the Access-Request for Windows is much bigger than other clients?
is it possible to reduce it by fiddling some Windows client side settings?
2. Is there any way to limit the maximum size of the Access-Request on
the server side? does eap-radius support fragmentation like what plugin
eap-tls has?
charon.plugins.eap-tls.fragment_size 1024 Maximum size of an EAP-TLS packet.
Thanks in advance!
Frank
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic