[strongSwan] eap-radius MTU problem?

Fri, 19 Aug 2016 05:20:46 -0700 

Hi,
I am using eap-radius doing EAP-TLS with freeRADIUS . I think I ran into an MTU related issue. 


Aug 19 10:35:49 node01 charon: 11[CFG] sending RADIUS Access-Request to 
server '10.254.1.251'

Aug 19 10:35:49 node01 charon: 11[CFG] => 1535 bytes @ 0x7fbfd40066b0

Aug 19 10:35:49 node01 charon: 11[CFG]    0: 01 5A 05 FF C8 9F E5 4E 0D 
DA 2C F0 FA 5A A1 7F  .Z.....N..,..Z..

...

Aug 19 10:35:49 node01 charon: 11[CFG] 1504: C5 DB 3B E5 31 DD F9 04 DF 
0F 3B CD FB 50 12 1D  ..;.1.....;..P..
Aug 19 10:35:49 node01 charon: 11[CFG] 1520: F9 1D 73 68 D6 7D 69 61 41 
20 6F 74 84 75 C8     ..sh.}iaA ot.u.
Aug 19 10:35:50 node01 charon: 13[MGR] ignoring request with ID 6, 
already processing
Aug 19 10:35:51 node01 charon: 11[CFG] retransmit 1 of RADIUS 
Access-Request (timeout: 2.8s)
Aug 19 10:35:51 node01 charon: 12[MGR] ignoring request with ID 6, 
already processing
Aug 19 10:35:54 node01 charon: 11[CFG] retransmit 2 of RADIUS 
Access-Request (timeout: 3.9s)
Aug 19 10:35:54 node01 charon: 10[MGR] ignoring request with ID 6, 
already processing
Aug 19 10:35:57 node01 charon: 11[CFG] retransmit 3 of RADIUS 
Access-Request (timeout: 5.5s)
Aug 19 10:36:01 node01 charon: 04[MGR] ignoring request with ID 6, 
already processing
Aug 19 10:36:03 node01 charon: 11[CFG] RADIUS Access-Request timed out 
after 4 attempts
Aug 19 10:36:03 node01 charon: 11[IKE] EAP method EAP_TLS failed for 
peer 10.1.1.172
Aug 19 10:36:03 node01 charon: 11[ENC] generating IKE_AUTH response 6 [ 
EAP/FAIL ]
Aug 19 10:36:03 node01 charon: 11[NET] sending packet: from 
xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (80 bytes)
Aug 19 10:36:03 node01 charon: 11[IKE] IKE_SA road-warriors-ikev2[29] 
state change: CONNECTING => DESTROYING)"




The MTU between strongSwan and freeRADIUS is 1460, while eap-radius is 
trying to send packets of 1535 bytes.



I am using RSA certificates with 2048 bits keys. The only client having 
this problem is Windows, both MacOS and iOS works fine.



Also tried ECDSA which works because the certificates are much smaller. 
while since I have to support Windows 7 which doesn't support ECDSA 
client certificate, so that's not an option.



So the questions are:


1. Why the Access-Request for Windows is much bigger than other clients? 
is it possible to reduce it by fiddling some Windows client side settings?



2. Is there any way to limit the maximum size of the Access-Request on 
the server side? does eap-radius support fragmentation like what plugin 
eap-tls has?


charon.plugins.eap-tls.fragment_size    1024    Maximum size of an EAP-TLS 
packet.


Thanks in advance!

Frank


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users













    











					Reply via email to