Problem with maybe asynchronous routing

operat0r · 01-25-2020, 01:45 AM

I have a problem which is probably routing related though i'm not entirely sure. Since the network setup is somewhat complex I will try to give as many details as I can.

Network Map:

OtherMerakiSubnets(10.1.12.0/24)--- SiteA(10.1.16.0/24) --- IPsecServerA(10.1.16.30)---IPsecServerB(10.100.1.1)---SiteB(10.100.1.0/24)

So first things first, the IPsec Tunnel is working as it should. The tunnel is established and I can ping from SiteA to SiteB and vise versa. I have also created routes so traffic can go from SiteA to extra subnets, making ping working also.

The other subnets include a Meraki network with access points and switches. These are configured to let users connect to their respective vlan via radius authentication.

Both SiteA and SiteB have a radius server ( Windows NPS ), and although SiteA is able to receive traffic for the authentication process SiteB is not (Ping is working everywhere).

I have excluded the possibility of Firewall blocking the traffic, and any misconfiguration issue on the NPS server.

The ipsec tunnel has a single nat rule for masquerade on each side:

Code:

MASQUERADE  all  --  10.1.16.0/24         10.100.1.0/24
or
MASQUERADE  all  --  10.100.1.0/24         10.1.16.0/24

The Meraki network to reach 10.1.16.0 network goes through an SVI on a switch (10.1.16.1) and then routed to the IPsecServerA(10.1.16.30). To reach the 10.100.1.0/24 network it follows the same route as before then reaching IPsecServerB(10.100.1.1), and forwarded from there.

The routes on the two IPsecServers are:

Code:

IPsecServerA:
10.0.0.0/8 via 10.1.16.1 dev ens20 
10.1.16.0/24 dev ens20 proto kernel scope link src 10.1.16.30 
10.100.1.0/24 via 10.1.16.30 dev ens20 scope link

Code:

IPsecServerB: 
10.0.0.0/8 via 10.100.1.1 dev ens19 
10.1.16.0/24 via 10.100.1.1 dev ens19
10.100.1.0/24 dev ens19 proto kernel scope link src 10.100.1.1

The problem as discussed before is why since icmp requests reach the two Radious servers(10.1.16.17 and 10.100.1.101) for 10.1.16.17 authentication works, but for 10.100.1.101 it doesn't. In fact I do not see any logs on it ever receiving the traffic.

If I use netcat -u 10.100.1.101 1812 from inside the meraki network (10.1.12.0/24) I can see the traffic on the NPS logs, but doing a test from the actual access points gives no logs whatsoever.

I hope I was clear on my issue. In case you require further information, I would be happy to provide it.

operat0r · 01-27-2020, 02:43 PM

After many hours of busting my head , I found out that if I put the framed-MTU option in the network policy of the NPS server the authentication now works.
It seems that IPsec tunnel can't handle fragmented packets ? or EAP doesn't like the fragmentation of the packets.
I will continue to investigate and find a solution.