[strongSwan] eap-radius MTU problem?
Frank H.Y. Wang
gladandong at gmail.com
Fri Aug 19 13:22:20 CEST 2016
Hi,
I am using eap-radius doing EAP-TLS with freeRADIUS . I think I ran into
an MTU related issue.
Aug 19 10:35:49 node01 charon: 11[CFG] sending RADIUS Access-Request to
server '10.254.1.251'
Aug 19 10:35:49 node01 charon: 11[CFG] => 1535 bytes @ 0x7fbfd40066b0
Aug 19 10:35:49 node01 charon: 11[CFG] 0: 01 5A 05 FF C8 9F E5 4E 0D
DA 2C F0 FA 5A A1 7F .Z.....N..,..Z..
...
Aug 19 10:35:49 node01 charon: 11[CFG] 1504: C5 DB 3B E5 31 DD F9 04 DF
0F 3B CD FB 50 12 1D ..;.1.....;..P..
Aug 19 10:35:49 node01 charon: 11[CFG] 1520: F9 1D 73 68 D6 7D 69 61 41
20 6F 74 84 75 C8 ..sh.}iaA ot.u.
Aug 19 10:35:50 node01 charon: 13[MGR] ignoring request with ID 6,
already processing
Aug 19 10:35:51 node01 charon: 11[CFG] retransmit 1 of RADIUS
Access-Request (timeout: 2.8s)
Aug 19 10:35:51 node01 charon: 12[MGR] ignoring request with ID 6,
already processing
Aug 19 10:35:54 node01 charon: 11[CFG] retransmit 2 of RADIUS
Access-Request (timeout: 3.9s)
Aug 19 10:35:54 node01 charon: 10[MGR] ignoring request with ID 6,
already processing
Aug 19 10:35:57 node01 charon: 11[CFG] retransmit 3 of RADIUS
Access-Request (timeout: 5.5s)
Aug 19 10:36:01 node01 charon: 04[MGR] ignoring request with ID 6,
already processing
Aug 19 10:36:03 node01 charon: 11[CFG] RADIUS Access-Request timed out
after 4 attempts
Aug 19 10:36:03 node01 charon: 11[IKE] EAP method EAP_TLS failed for
peer 10.1.1.172
Aug 19 10:36:03 node01 charon: 11[ENC] generating IKE_AUTH response 6 [
EAP/FAIL ]
Aug 19 10:36:03 node01 charon: 11[NET] sending packet: from
xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (80 bytes)
Aug 19 10:36:03 node01 charon: 11[IKE] IKE_SA road-warriors-ikev2[29]
state change: CONNECTING => DESTROYING)"
The MTU between strongSwan and freeRADIUS is 1460, while eap-radius is
trying to send packets of 1535 bytes.
I am using RSA certificates with 2048 bits keys. The only client having
this problem is Windows, both MacOS and iOS works fine.
Also tried ECDSA which works because the certificates are much smaller.
while since I have to support Windows 7 which doesn't support ECDSA
client certificate, so that's not an option.
So the questions are:
1. Why the Access-Request for Windows is much bigger than other clients?
is it possible to reduce it by fiddling some Windows client side settings?
2. Is there any way to limit the maximum size of the Access-Request on
the server side? does eap-radius support fragmentation like what plugin
eap-tls has?
charon.plugins.eap-tls.fragment_size 1024 Maximum size of an EAP-TLS packet.
Thanks in advance!
Frank
More information about the Users
mailing list